Date: Tue, 13 Mar 2001 11:37:40 -0300 From: "Pablo Bendersky" <pbendersky@itineri.com> To: "Andrew Hesford" <ajh3@chmod.ath.cx>, <freebsd-questions@freebsd.org> Subject: RE: Problem setting up NAT Message-ID: <JPEAKMLHKPBJHAEBDFIEEEKECCAA.pbendersky@itineri.com> In-Reply-To: <20010309023946.A19665@cec.wustl.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I was finally able to make NAT and the firewall work OK. I have this configuration: One machine with two interfaces, one to the internet (xl1) and one to the internal network (xl0). xl1 has two IP addresses. The primary ip is used by natd as alias_address to make al the computers have internet access. The second one is natted to the mail server. It has natted ports 25 and 110, so we have a mail server in our internal network, while we can access from the outside network. Everything works fine, except this: (It's not neccesary but I want to undestand it) From any computer in the internal network (including the firewall) I can't access to the pop3 via the external address. I can access the mail server using the internal address, but I don't understand why the external address is not working. When trying to telnet the pop3 from the firewall I get: telnet: connect to address <external_address>: Connection refused telnet: Unable to connect to remote host My ipfw rules are as follows: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00500 deny ip from any to 10.0.0.0/8 via xl1 00600 deny ip from any to 172.16.0.0/12 via xl1 00700 deny ip from any to 192.168.0.0/16 via xl1 00800 deny ip from any to 0.0.0.0/8 via xl1 00900 deny ip from any to 169.254.0.0/16 via xl1 01000 deny ip from any to 192.0.2.0/24 via xl1 01100 deny ip from any to 224.0.0.0/4 via xl1 01200 deny ip from any to 240.0.0.0/4 via xl1 01300 divert 8668 ip from any to any via xl1 01400 deny ip from 10.0.0.0/8 to any via xl1 01500 deny ip from 172.16.0.0/12 to any via xl1 01600 deny ip from 192.168.0.0/16 to any via xl1 01700 deny ip from 0.0.0.0/8 to any via xl1 01800 deny ip from 169.254.0.0/16 to any via xl1 01900 deny ip from 192.0.2.0/24 to any via xl1 02000 deny ip from 224.0.0.0/4 to any via xl1 02100 deny ip from 240.0.0.0/4 to any via xl1 02200 check-state 02300 allow ip from any to any frag 02400 allow ip from any to any keep-state 65535 deny ip from any to any Thanks a lot ! -----Mensaje original----- De: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]En nombre de Andrew Hesford Enviado el: Viernes, 09 de Marzo de 2001 05:40 a.m. Para: Pablo Bendersky CC: freebsd-questions@FreeBSD.ORG Asunto: Re: Problem setting up NAT Below you will find a copy of my ipfw ruleset. I have one external IP connected via ed0, and an internal address on dc0. The internal address connects to my hub, and handles nat. Incoming requests from the outside world on ports 22, 25, and 80 are forwarded to a machine inside. Check to make sure your rules are similar. For natd, I run `natd -redirect_port tcp 192.168.1.5:22 22 -redirect_port tcp 192.168.1.5:25 25 -redirect_port tcp 192.168.1.5:80 80 -interface ed0`. Also, a word of advice. I've always found keep-state and check-state easier to manage than established and setup... in particular, keep-state and check-state apply to all protocols. My ruleset allows anything to go out and come back, but nothing comes in except ssh, smtp, and sendmail (try to ping chmod.ath.cx if you don't believe me). Also, if you are going to setup all tcp connections and allow the other protocols, it would be easier to drop the last three rules you've added and replace them with: allow ip from any to any Now for my rules: 00100 deny ip from 192.168.1.0/24 to any in recv ed0 00200 deny ip from 24.217.0.0/16 to any in recv dc0 00300 deny ip from any to 10.0.0.0/8 via ed0 00400 deny ip from any to 172.16.0.0/12 via ed0 00500 deny ip from any to 192.168.0.0/16 via ed0 00600 deny ip from any to 0.0.0.0/8 via ed0 00700 deny ip from any to 168.254.0.0/16 via ed0 00800 deny ip from any to 192.0.2.0/24 via ed0 00900 deny ip from any to 224.0.0.0/4 via ed0 01000 deny ip from any to 240.0.0.0/4 via ed0 01100 divert 8668 ip from any to any via ed0 01200 deny ip from any to 10.0.0.0/8 via ed0 01300 deny ip from any to 172.16.0.0/12 via ed0 01400 deny ip from any to 0.0.0.0/8 via ed0 01500 deny ip from any to 168.254.0.0/16 via ed0 01600 deny ip from any to 192.0.2.0/24 via ed0 01700 deny ip from any to 224.0.0.0/4 via ed0 01800 deny ip from any to 240.0.0.0/4 via ed0 01900 check-state 02000 allow ip from any to any frag 02100 allow tcp from any to 24.217.0.0/16 80 keep-state 02200 allow tcp from any to 24.217.0.0/16 22 keep-state 02300 allow tcp from any to 24.217.0.0/16 25 keep-state 02400 allow tcp from any to 192.168.1.5 80 keep-state 02500 allow tcp from any to 192.168.1.5 22 keep-state 02600 allow tcp from any to 192.168.1.5 25 keep-state 02700 unreach host tcp from any to any 113 keep-state in recv ed0 02800 deny ip from any to any in recv ed0 02900 allow ip from any to any keep-state 65535 deny ip from any to any On Thu, Mar 08, 2001 at 12:07:00PM -0300, Pablo Bendersky wrote: > Now, I wanted to make use of a external IP address I have, so I added > it as an alias to xl1. It works ok, and I can ping it from everywhere. > I then tried to make nat forward telnet service (Which, by the way is not > running on this machine) to one of our local machines. > For that, I tried with: > /sbin/natd -redirect_port tcp 192.168.0.4:23 <alias_ip>:23 -n xl1 > > After that, I was still able to ping the alias IP, and everything, but not > able to telnet the localhost. (Which I can telnet from any computer on the > local network) -- Andrew Hesford ajh3@chmod.ath.cx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JPEAKMLHKPBJHAEBDFIEEEKECCAA.pbendersky>