From owner-freebsd-questions@FreeBSD.ORG Sun Jul 18 16:15:24 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9946A16A4CE for ; Sun, 18 Jul 2004 16:15:24 +0000 (GMT) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D6A443D41 for ; Sun, 18 Jul 2004 16:15:24 +0000 (GMT) (envelope-from aardvark@saintaardvarkthecarpeted.com) Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe3.prod.shaw.ca [10.0.141.212]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I12001FC1Z4E7@l-daemon> for freebsd-questions@freebsd.org; Sun, 18 Jul 2004 10:04:16 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd4mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I1200BFY1Z5SSL0@pd4mr1so.prod.shaw.ca> for freebsd-questions@freebsd.org; Sun, 18 Jul 2004 10:04:17 -0600 (MDT) Received: from francisco.saintaardvarkthecarpeted.com (S010600609761a671.vc.shawcable.net [24.87.202.31]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I1200B311Z4U4@l-daemon> for freebsd-questions@freebsd.org; Sun, 18 Jul 2004 10:04:17 -0600 (MDT) Received: from localhost (hardesty.saintaardvarkthecarpeted.com [192.168.23.1]) by francisco.saintaardvarkthecarpeted.com (8.12.11/8.12.11) with ESMTP id i6IG4Fs9073404; Sun, 18 Jul 2004 09:04:16 -0700 Received: from aardvark by localhost with local (Exim 4.32) id 1BmE99-0003dg-JP; Sun, 18 Jul 2004 09:04:15 -0700 Date: Sun, 18 Jul 2004 09:04:15 -0700 From: Saint Aardvark the Carpeted In-reply-to: <200407180949.i6I9npmT009080@whoweb.com> Sender: aardvark To: Incoming Mail List Message-id: <20040718160415.GD2349@hardesty.saintaardvarkthecarpeted.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.5.6+20040523i References: <200407180949.i6I9npmT009080@whoweb.com> cc: freebsd-questions@freebsd.org Subject: Re: more IPFW help please X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jul 2004 16:15:24 -0000 Incoming Mail List disturbed my sleep to write: > NATD definition > natd -p 8668 -redirect_port tcp 192.168.2.254:80 80 -n de3 > > IPFW definitions > 100 divert 8668 log ip from 192.168.3.254 to 1.2.3.4 > 300 allow log ip from any to any > 500 deny log ip from any to any I *think* the problem with this set of rules is that you're diverting to natd anything from the private client to the webserver, *but you're not diverting the replies from the webserver*. Your request goes to the webserver with the source address set to 192.168.3.1 (the IP address on de3). The webserver sends the reply to 192.168.3.1, but since that reply never gets to natd, 192.168.3.1 "knows" it didn't send that request so it gets dropped silently. One way around this would be to add a second rule: 200 divert 8668 log ip from any to 192.168.3.254 but that may cause problems...natd may drop incoming connections or replies that it hasn't seen. Since natd is only seeing requests to 1.2.3.4, access to other machines may end up broken. A better/more conventional way of doing it would be: 100 divert 8668 all via de3 > This results in lots of packets accepted, but I get no output on the > 192.168.3.254 machine and the browser eventually times out. > > 100 Divert 8669 TCP 192.168.3.254:4013 24.61.225.235:80 in via de3 > 300 Accept TCP 192.168.3.254:4013 192.168.2.254:80 in via de3 > 300 Accept TCP 192.168.3.254:4013 192.168.2.254:80 out via de2 > 300 Accept TCP 192.168.2.254:80 192.168.3.254:4013 in via de2 > 300 Accept TCP 192.168.2.254:80 192.168.3.254:4013 out via de3 Logs are good, but tcpdump is better -- you get to see the tcp flags. This looks good, which is why I'm hedging my bet about the divert rules, but tcpdump on (say) your client, or the machine running natd, would show a lot more. HTH, Hugh -- Saint Aardvark the Carpeted aardvark@saintaardvarkthecarpeted.com Because the plural of Anecdote is Myth.