From owner-freebsd-security Sat Jul 22 12:57:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 85E6537BA44 for ; Sat, 22 Jul 2000 12:57:39 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id B7FEC9EE01; Sat, 22 Jul 2000 12:57:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id AEC489B001; Sat, 22 Jul 2000 12:57:25 -0700 (PDT) Date: Sat, 22 Jul 2000 12:57:25 -0700 (PDT) From: Mike Hoskins To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: NATD problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 22 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote: > My firewall works fine, but NATD does not route my gateway requests > properly. The private ip addresses do not route from mx1 (iip) through mx0 > (oip). Has this worked before, and only broken recently... or is this still a first attempt to get it working? What options do you have compiled into your kernel? I have: # Firewall/NATD options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=64 options IPDIVERT Does this show up in your dmesg output? [69]mike@snafu{mike}$ dmesg|grep div IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, logging limited to 64 packets/entry by default What flags are you passing natd? What's in /etc/rc.conf? I have: natd_enable="YES" natd_flags="-s -m -u" And see the following running: [70]mike@snafu{mike}$ ps ax|grep nat 90 ?? Ss 0:24.61 /sbin/natd -s -m -u -n fxp0 For my firewall I have: firewall_enable="YES" firewall_type="/etc/rc.firewall.snafu" But you're probably running firewall_type="OPEN" (which is fine for initial setup/testing). Is your box set to be a gateway? I have this in /etc/rc.conf: gateway_enable="YES" With these options, NATD's been working perfectly for me under RELENG_4 for awhile now. If you already have all of this, have you tested basic connectivity? Can you ping from the inside host(s) to the gw machine? Can you ping from the gw machine to the inside host(s)? Can the gw machine ping outside? Are your NICs configured properly on all machines (duplex, etc.)? > # Allow inside out > $fwcmd add divert natd all from any to any via ${oif} > > $fwcmd add pass tcp from ${iip} to ${oip} 8668 setup > $fwcmd add pass tcp from ${iip} to any 8668 Have you tried just running firewall_type="OPEN"? I'm running a custom rulechain, but OPEN basically goes like this: divert 8668 ip from any to any via OIF allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 allow ip from any to any Alternatively, you may want to take advantage of ipfw's new 'check-state' capabilities and setup something like what I have... divert 8668 ip from any to any via OIF allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 check-state allow ip from OIP to any keep-state allow ip from INW to any keep-state # # rules to allow specific inbound traffic # deny ip from any to any OIF == Outside InterFace OIP == Outside IP address INW == Inside NetWork This let's my LAN 'talk' to the outside world (rules are created on the fly), allows inbound traffic I want, and deny's everything else. Good luck, -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message