From owner-freebsd-net Wed Sep 19 7:24:18 2001 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id CD65537B411; Wed, 19 Sep 2001 07:23:52 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f8JEMFA99360; Wed, 19 Sep 2001 17:22:15 +0300 (EEST) (envelope-from ru) Date: Wed, 19 Sep 2001 17:22:15 +0300 From: Ruslan Ermilov To: Vladimir Terziev Cc: freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Problem with IPFW and NATD (refined) !!! Message-ID: <20010919172215.E66974@sunbay.com> References: <200109191406.f8JE6cc12197@star.rila.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109191406.f8JE6cc12197@star.rila.bg>; from vladimirt@rila.bg on Wed, Sep 19, 2001 at 05:06:38PM +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Please don't cross-post] You did not tell us what exactly does not work. DNS should work, and FTP should not as it requires data channel on a separate port. If that's the case, you may run natd(8) with the -punch_fw option. On Wed, Sep 19, 2001 at 05:06:38PM +0300, Vladimir Terziev wrote: > Sorry, but there is a rule number mistake in my previous e-mail with the same > subject. > > I have a gateway machine which runs NATD (natd -unregistered_only -interface > an0) and have IP packet filter IPFW with the following rules: > > > ipfw add 100 allow ip from any to any via lo0 > > ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 > ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 > ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 > > ipfw add 11000 deny ip from 192.168.15.0/24 to any > > ipfw add 20000 divert natd ip from any to any via an0 > > ipfw add 30000 allow ip from PUBLIC_IP to any > ipfw add 30000 allow ip from any to PUBLIC_IP > > ipfw add 40001 allow tcp from any 21 to 192.168.15.2 established > ipfw add 40002 allow tcp from any 53,6667,6668 to 192.168.15.2 established > ipfw add 40003 allow udp from any 53,4000 to 192.168.15.2 > > ipfw add 65000 deny ip from any to any > > > The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and > external - an0). I need only one of machines in the local network to have > connectivity to "the rest of the world". > > I've read all the documentation about ipfw(8), divert(4) and natd(8). > Regarding to it the above rules should provide what I want, but they don't !!! > > Does anybody have an idea why? > > regards, > Vladimir -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message