From owner-freebsd-ipfw  Thu Apr  6 13:56:43 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 1166637C196
	for <freebsd-ipfw@FreeBSD.ORG>; Thu,  6 Apr 2000 13:56:38 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id QAA04883;
	Thu, 6 Apr 2000 16:56:29 -0400 (EDT)
	(envelope-from cjc)
Date: Thu, 6 Apr 2000 16:56:28 -0400
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Mike Heffner <spock@techfour.net>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Problems with natd
Message-ID: <20000406165628.C4198@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <20000404231711.A40889@cc942873-a.ewndsr1.nj.home.com> <XFMail.20000405020339.mheffner@mailandnews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <XFMail.20000405020339.mheffner@mailandnews.com>; from mheffner@mailandnews.com on Wed, Apr 05, 2000 at 02:03:39AM -0400
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Apr 05, 2000 at 02:03:39AM -0400, Mike Heffner wrote:
[snip]
> natd.conf file:
> 
> interface ed0
> same_ports yes
> dynamic yes

Seems OK. I always like to add "unregistered_only."

> ipfw rules:
> 
> 00010 176 14949 count log ip from any to any
> 00015  24  2634 allow ip from any to any via lo0
> 00100   0     0 allow ip from any to any via ep0
> 00200   6   248 divert 8668 ip from any to any via ed0
> 00300  57  6332 allow ip from any to any
> 65535   1    28 deny ip from any to any

Wide open for testing, good. One thing I'm curious about, and I really
don't know if this has anything to do with the problem, is why the
'count' rule does not sum up to all of the rules below it.

> $ ifconfig -a
> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255
                                                    ^^^^^^^^^^^^^^^
Is that the real value or did you mask that?

>         ether 00:40:05:63:46:3d 
> ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
>         ether 00:20:af:a1:05:8b 
>         media: 10baseT/UTP
>         supported media: 10baseT/UTP
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet 127.0.0.1 netmask 0xff000000 
> 
> [a.b.c.d == outside, real, ip]
> 
> $ netstat -rn
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Refs     Use     Netif Expire
> default            a.b.c.d            UGSc       19       94      ed0
> 10/24              link#2             UC          0        0      ep0 =>
> 127.0.0.1          127.0.0.1          UH          1       20      lo0
> a.b.c              link#1             UC          0        0      ed0 =>
> a.b.c.d            0:d0:58:c7:98:38   UHLW       19        0      ed0   1200

Looks OK provided a.b.c.0 is an historic C Class net.

> also, here is part of a natd verbose output log, first part is successful
> ICMP'ing, second is an unsuccessful ftp connect attempt:
> 
> Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
>            [ICMP] a.b.c.d -> e.f.g.h 8(0)
> In  [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to
>            [ICMP] e.f.g.h -> a.b.c.d 0(0)
> Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
>            [ICMP] a.b.c.d -> e.f.g.h 8(0)
> Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
>            [ICMP] a.b.c.d -> e.f.g.h 8(0)
> Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
>            [ICMP] a.b.c.d -> e.f.g.h 8(0)
> In  [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to
>            [ICMP] e.f.g.h -> a.b.c.d 0(0)

What one expects when pinging from the NAT machine, good.

> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
> 
> 
> [ a.b.c.d == my ip address
>   e.f.g.h == an internet server ip ]

Hmmm... NOT what one expects. It does not look like anything is ever
coming back. My first inclination would be to guess that there is a
firewall rule blocking setups on port 21 in front of natd's divert
rule, but if your output above is accurate, this is not the case.

If you were not getting ICMP packets back, I would guess that
something at or behind your coax modem was not routing properly. Does
a tcpdump show the same thing as the natd log for the TCP connection
attempt? Of course, there is always the question, maybe e.f.g.h is
dropping attempts at 21?
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message