Date: Wed, 29 Jan 2003 21:27:43 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: freebsd-questions@freebsd.org Subject: another go at natd Message-ID: <20030130032743.GA30748@darkpossum>
next in thread | raw e-mail | index | archive | help
--UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi all this is a followup to an email i sent out to the list a week or so ago. i = was having trouble getting the following natd setup to work: -----------------------snip-------------------------- two machines - one has two nics, one has one nic. i'd like to set up the ma= chine with two nics as a gateway/natd box, and place the second machine beh= ind it. gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway machine's /etc/rc.conf: defaultrouter=3D"129.x.x.1" hostname=3D"enquirer.medill.northwestern.edu" ifconfig_xl0=3D"inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1=3D"inet 10.0.0.1 netmask 255.0.0.0" gateway_enable=3D"YES" firewall_enable=3D"YES" #firewall_script=3D"/etc/rc.firewall" firewall_type=3D"OPEN" natd_enable=3D"YES" natd_interface=3D"xl0" natd_flags=3D"" second machine's /etc/rc.conf: defaultrouter=3D"10.0.0.1" ifconfig_xl0=3D"inet 10.0.0.2 netmask 255.0.0.0" 'ipfw list' on the gateway machine gives me: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any i'm following the instructions in the handbook http://www.freebsd.org/doc/e= n_US.IS...dbook/natd.html=20 ----------------------------snip------------------------- -turns out my setup above was exactly right. i was informed by various memb= ers of the list that my original problem was that i was running a connectio= n from the client machine directly to the internal nic on the gateway box, = and all i needed to do was to run everything through a hub to get it to wor= k. so, i'm nat'ing. i'm redirecting packets to my internal lan on the gateway = box. i guess my question to the list would be: is a vanilla natd setup li= ke this enough? today, i tried changing firewall_type to '/etc/ipfw.rules'= instead of "OPEN", it's been problematic. i'm having trouble getting the = following /etc/ipfw.rules file working with my nat setup: add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 check-state add 00301 allow tcp from 129.x.x.20 to any in setup keep-state add 00302 allow tcp from 10.0.0.2 to any in setup keep-state #allow tcp in for ftp,ssh, smtp, httpd add 00304 allow tcp from any to any 21 in setup keep-state add 00305 allow tcp from any to any 22 in setup keep-state add 00306 allow tcp from any to any 25 in setup keep-state add 00307 allow tcp from any to any 80 in setup keep-state #allow tcp in for webmin port add 00308 allow tcp from any to any 10000 in setup keep-state #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out setup keep-state #allow udp in for gateway for DNS add 00400 allow udp from 129.105.49.1 to any in recv xl0 add 00401 allow udp from 129.x.x.20 to any in recv xl0 add 00402 allow udp from 10.0.0.2 to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out #allow some icmp types (codes not supported) ##########allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##########allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##########allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##########allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any sorry, this is long winded. any comments on how to get the above rules wor= king with my nat setup, or if these measures are even necessary would be gr= eatly appreciated. thanks redmond --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+OJuvFNjun16SvHYRAgn3AJwOK8/wkI2iX9kp8qcLWKrZKYsVxQCfTR4a qKnp9dHbWX+KmFDPZRMMPSM= =CSP9 -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030130032743.GA30748>