Date: Thu, 08 Nov 2001 13:39:41 -0800 From: Michael Loftis <mike@activemessage.com> To: cjclark@alum.mit.edu Cc: Michael Loftis <mloftis@wgops.com>, freebsd-net@FreeBSD.ORG Subject: Re: natd behaviour. Message-ID: <3BEAFB9D.87AB5EA8@activemessage.com> References: <3BEA89B3.B88C5048@wgops.com> <20011108123917.F51134@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote: > On Thu, Nov 08, 2001 at 05:33:39AM -0800, Michael Loftis wrote: > > I'm running natd and I need to change it's behaviour slightly. it seems > > that if it doesn't find a redirect_address match it'll drop connection > > requests for that address, so putting it in a simplest-case divert from > > any to any type of ipfw rulle severly breaks things. What I need it to > > do is pass those through unmodified. > > > > Can I get it to do this or am I going to have to get specific with my > > ipfw rules? > > If I understand what you are saying, it should be doing this > already. That is, natd(8) passes through anything it does not modify > untouched. It does not drop (any normal) packets. already established sesions transit fine, but new sessions (specifically what I'm inerested in are new sessions to the local machine) to anything other than the configured redirect_* stanzas get dropped. ipfw is not the culprit, natd in verbose mode makes note of the fact that it is dropping these packets. ipfw is simply setup to redirect any packets going via the external interface into the natd divert port. natd has a default setup with the exception that the dynamic flag is set and it's pointing ot hte same interface as in ipfw. The machine running nat has to be able to accept connections on multiple addresses so the behavior that is given by target_address is *not* workable as I need to preserve the normal incoming IP. BAsically the only problem I'm having is with setup (SYN set apparently) packets sent through natd, if they don't match up witha redirect rule they get silently dropped. Don't say thats not it's behavior, because that is precisely what it is doing. my natd config is as follows... unregistered_only same_ports dynamic interface vlan5 redirect_address 192.168.0.2 64.71.178.211 the only active ipfw rule is as follows add divert natd all from any to any via vlan5 Topology is simple, external on vlan5 interface (physically fxp0) and internal on vlan0 interface (physically fxp1) -- traffic transits fine the upstream swithc fully supports vlans via 802.1Q and I have not yet identified any problems there (traffic passes to and from the host and itnerfaces just as configured). So the vlan ifaces are acting just like a normal ethernet dev. It's natd thats being funkified. > But if you are still having problems, you will need to be more > specific about your natd(8) configuration, your ipfw(8) rules, your > network topology, and what exactly is not working. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BEAFB9D.87AB5EA8>