From owner-freebsd-questions Wed Sep 15 10:35:29 1999 Delivered-To: freebsd-questions@freebsd.org Received: from aag.alaskaair.com (outbound.alaskaair.com [159.49.42.191]) by hub.freebsd.org (Postfix) with SMTP id C4C89152FD for ; Wed, 15 Sep 1999 10:35:24 -0700 (PDT) (envelope-from elazich@AlaskaAir.com) Received: from OUTBOUND.alaskaair.com by aag.alaskaair.com via smtpd (for hub.FreeBSD.org [204.216.27.18]) with SMTP; 15 Sep 1999 17:38:33 UT Received: from asnasta (asnasta.alaskaair.com [159.49.42.21]) by outbound.alaskaair.com (8.9.3/8.9.3) with SMTP id KAA20104; Wed, 15 Sep 1999 10:36:07 -0700 From: elazich@AlaskaAir.com To: cjc@cc942873-a.ewndsr1.nj.home.com Cc: ru@ucb.crimea.ua, freebsd-questions@FreeBSD.ORG Date: Wed, 15 Sep 1999 10:34:42 -0700 Subject: Re: IPFW & NATD Message-ID: References: <199909150251.WAA21491@cc942873-a.ewndsr1.nj.home.com> Organization: Alaska Airlines MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-ID: X-Gateway: NASTA Gate 2.0 for FirstClass(R) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG natd still is running and here is my rc.conf file; >capricorn# more /etc/rc.conf ># This file now contains just the overrides from /etc/defaults/rc.conf ># please make all changes to this file. ># -- sysinstall generated deltas -- # >ntpdate_flags="apple.com" >ifconfig_vx0="inet 10.0.0.1 netmask 255.255.255.0" >#ifconfig_vx0_alias0="inet 205.243.146.33 netmask 255.255.255.255" >ifconfig_lnc1="inet 207.149.134.143 netmask 255.255.255.224" >moused_enable="YES" >defaultrouter="207.149.134.129" >ntpdate_enable="YES" >nfs_server_enable="YES" >nfs_client_enable="YES" >network_interfaces="vx0 lnc1 lo0" >tcp_extensions="YES" >hostname="capricorn.loopback.com" >gateway_enable="YES" >firewall_enable="YES" >firewall_script="/etc/rc.firewall" >firewall_type="simple" >natd_program="/sbin/natd" >natd_enable="YES" >natd_interface="lnc1" >named_enable="YES" >capricorn# One thing to note, I have a problem with the stock rc.firewall script in that it does not allow any communications once I run it with a straight boot. What I do is run ipfw -f flush and then add the rules you have already seen by hand. This had worked up until last week, I would like to evemtually get the script to work for me so if anyone has any insights on that please let me know but otherwise I can live with the current setup for the time being. I am not physically at my network right now so the last suggestion I'll not be able to do until later tonight. Eli cjc@cc942873-a.ewndsr1.nj.home.com writes: >elazich@AlaskaAir.com wrote, >> This morning I checked my arp table and find the following just after >I >> have pinged (or do you say pung, proper english would seem to dictate >> the latter) 10.0.0.2 on my internal subnet; >Nope. It's pinged. Don't ask me why when sing->sung, ring->rung, >fling->flung, cling->clung, sting->stung, etc., but ping->pinged, >wing->winged, ding->dinged, and zing->zinged, etc. (and just to make >it more interesting, bring->brought). >> capricorn# arp -a >> ? (10.0.0.2) at (incomplete) >> static-134-129.dsl.cnw.net (207.149.134.129) at 0:0:c:6a:78:c >> ns1.loopback.com (207.149.134.143) at 0:80:29:68:52:c4 permanent >> capricorn# >> >> I also noticed in te results of a "dmesg" that 10.0.0.2 had resolved >to >> a NIC card which I don't see on my local network, the actual message >> was something to the effect that the physical address for 10.0.0.2 was >> resolved by lnc1 (which is my ecternal NIC). Again, the other >clients >> on my internal net can ping each other fine but my firewall box cannot >> ping or be pinged by the internal clients save for pinging itself. >> This appears to be HW address related but I'm not sure why, can anyone >> shed some light on this? My IPFW ruleset again is; >> >> >capricorn# ipfw sho >> >00100 9001 2506073 divert 8668 ip from any to any via lnc1 >> >00200 12293 2895085 allow ip from any to any >> >65535 45 7436 deny ip from any to any >> >capricorn# >> >> and my ifconfig output is; >> >> >capricorn# ifconfig -a >> >vx0: flags=8843 mtu 1500 >> > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 >> > ether 00:a0:24:bd:f8:af >> >lnc1: flags=8843 mtu 1500 >> > inet 207.149.134.143 netmask 0xffffffe0 broadcast >> >207.149.134.159 >> > ether 00:80:29:68:52:c4 >> >lp0: flags=8810 mtu 1500 >> >tun0: flags=8010 mtu 1500 >> >sl0: flags=c010 mtu 552 >> >ppp0: flags=8010 mtu 1500 >> >lo0: flags=8049 mtu 16384 >> > inet 127.0.0.1 netmask 0xff000000 >> >capricorn# >> >> Any help is greatly appreciated. >[HUGE snip] >OK, I have been half-heartedly following this thread. Your interfaces >look like they are setup right. The firewall rules look OK. And the >natd setup (which I cut but is reported: 'natd -interface lnc1') looks >good. >All I can think to ask: >1) Check the ps or top output to verify natd is still running. >2) Please show us exactly how you have this setup in the rc.conf > file. Can you verify that other rc.* files have not been altered. >3) Redo the tcpdump also adding the '-e' flag so we see Ethernet > addresses. Plus, try to ping 10.0.0.1 from one of the other > machines while doing the dump. (I'm wondering where the ARP calls > were in your tcpdump output.) >Those are my ideas. Hope it might help. >-- >Crist J. Clark cjclark@home.com >Received: from aag.alaskaair.com (aag.alaskaair.com [159.49.42.2]) by >asnasta.alaskaair.com with SMTP id MSGIYJZG; Wed, 15 Sep 1999 02:51:54 >GMT >Received: from cc942873-a.ewndsr1.nj.home.com ([24.2.89.207]) by >aag.alaskaair.com via smtpd (for asnasta.alaskaair.com [159.49.42.21]) >with SMTP; 15 Sep 1999 02:52:09 UT >Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com >(8.9.3/8.8.8) id WAA21491; Tue, 14 Sep 1999 22:51:42 -0400 (EDT) >(envelope-from cjc) >Message-Id: <199909150251.WAA21491@cc942873-a.ewndsr1.nj.home.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message