Date: Fri, 07 May 1999 15:18:08 -0700 From: "Robert Sowders" <rsowders@usgs.gov> To: freebsd-questions@FreeBSD.ORG, kbogac@ibm.net Subject: Re: natd question Message-ID: <s7330451.067@usgs.gov>
next in thread | raw e-mail | index | archive | help
See below,
The magic of first love is our ignorance that it can ever end.
Benjamin Disraeli
British Prime Minister (1874-1880)
>>> "Kevin Bogac" <kbogac@ibm.net> 5/5/99 7:18:31 PM >>>
I cannot get natd to work. I have searched through all of the information =
I can find and my configuration seems correct. If I enable natd the =
interface blocks traffic. I'm getting a line in the system messages that =
says "/kernel: IP packet filtering initialized, divert disabled, rule-based=
forwarding disabled, logging disabled". I built the kernel with the two =
additional options. Did I miss something? Does the default rc.firewall =
work?
Thanks,
Kevin
Seems to be a configuration problem. The line stating that divert is =
disabled
seems to be your problem I think. If you are using two ethernet cards,=20
then check the following and modify the default rc.firewall and /etc/rc.con=
f
as directed.
If you are using a ppp connection different rules apply, and natd is not
needed.
This will be the config for an open firewall with a simple option. You =
firewall=20
will have minimal protection with these rules, you should tighten this up =
if=20
you are after more security, but this will get you going.
1. Make sure that the firewall options were compiled into your kernel, it =
sounds like you've done that correctly. =20
2. Make sure that your /etc/rc.conf contains the following. Edit for your
ip, subnet mask ,ifconfig_ed1, etc for your systems settings. The ones
below are just examples.
ifconfig_ed1=3D"inet your.ip.outside.ip netmask 255.255.255.0"
ifconfig_xl0=3D"inet 192.168.0.1 netmask 255.255.0.0"
defaultrouter=3D"your.outside.router.ip"
network_interfaces=3D"ed1 xl0 lo0" #change to your interfaces check dmesg
hostname=3D"your.fqdn.hostname"
gateway_enable=3DYES
natd_enable=3D"YES" # Enable natd (if firewall_enable =
=3D=3D YES).
natd_interface=3D"your outside interface name" #check dmesg
natd_flags=3D"" # Additional flags for natd.
firewall_enable=3DYES
firewall_type=3D"open" # Firewall type (see /etc/rc.firewall)
firewall_quiet=3D"NO" # Set to YES to suppress rule display
=20
3. Put your ip number in the above places, put your default router in =
above, substitute your interface name for the above, noting inside and =
outside names
for use in your /etc/rc.firewall.
4. Using the default /etc/rc.firewall. Make sure you config the /etc/rc.fi=
rewall
to include the following correctly.
oif (outside interface)
oip (outside ip)
iif (inside interface)
iip (inside ip)
5. Using the default /etc/rc.firewall. Make sure you config the =
/etc/rc.firewall
for the following in the open section:
############
# This is a prototype setup that will protect your system somewhat against
# people from outside your own network.
############
=20
# set these to your network and netmask and ip
net=3D"192.168.0.0"
mask=3D"255.255.0.0"
ip=3D"192.168.0.1"
6. Make sure you config the /etc/rc.firewall for the following in the =
simple
section:
############
# This is a prototype setup for a simple firewall. Configure this machine
# as a named server and ntp server, and point all the machines on the =
inside
# at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif=3D"your.outside.interface.name from rc.conf"
onet=3D"your.subnet.example.122.118.20.0"
omask=3D"255.255.255.0"
oip=3D"your.outside.ip"
# set these to your inside interface network and netmask and ip
iif=3D"your.inside.interface.name.from.rc.conf"
inet=3D"192.168.0.0"
imask=3D"255.255.0.0"
iip=3D"192.168.0.1"
7. Now reboot the machine. There are ways to bring this up without=20
rebooting, but to get it started let's just do it this way. If it still =
doesn't
come up, then remove the natd line from the /etc/rc.conf file and =
verify=20
that your interfaces and ip stack come up by pinging systems both inside
and outside your system. If that works then start natd and repeat the =
above
and also ping from a machine on the inside of the firewall to the outside.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s7330451.067>