Date: Thu, 13 Jun 2002 11:15:56 +0200 (MEST) From: David Wahlstedt <davidw@cs.chalmers.se> To: Alexander V Zubchenko <stalker@hermes-comp.zp.ua> Cc: <questions@freebsd.org>, <freebsd-small@freebsd.org> Subject: Re: natd port forwarding Message-ID: <Pine.SOL.4.30.0206131030400.1464-100000@quirm.cs.chalmers.se> In-Reply-To: <20020612080718.Q92282-100000@server.hermes-comp.zp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Jun 2002, Alexander V Zubchenko wrote:
> Hello!
>
> It seems to be correct. But who can b sure? ;-)
>
> On Tue, 11 Jun 2002, David Wahlstedt wrote:
>
> > $fwcmd -f flush
> >
> > $fwcmd add 500 divert 8668 al from any to any via ep0
> I hope this just a mistype in letter, but 'divert 8668 all' (with
> duoble-l).
Thanks !
It was a typo. I corrected it, made sure the change was on the floppy,
rebooted, but it still doesn't work.
Running "ipfw list" gives the same answer as before the change.
The divert rule is there and seems to work both before and after the
change, in the sense that the "nat mechanism" works, but not port
forwarding.
The firewall (2.2.5-based "net" picoBSD) has
ep1 10.0.0.1 to LAN and ep0 217.x.x.x to WAN.
My computer (fbsd-4.5-R) is 10.0.0.4
I tried netcat on 10.0.0.4:
> nc -l -p 1234
And also on 10.0.0.4:
> telnet 217.x.x.x 1234
"connection refused", it answers.
The same happens with
> nc -v -p 1234 217.x.x.x
Is this the right testing method here ?
rc.conf:
can the following be an error ? Do I have the wrong netmask on ep1 ?
ifconfig_ep0="inet 217.bla.bla.bla netmask 255.255.255.0 up"
ifconfig_ep1="inet 10.0.0.1 netmask 255.255.255.128 up"
Do you have something similair - an example with port forwarding ?
Anyone who has a set of config files for the 2.2.5 based picoBSD
"net" floppy using port forwarding and nat ?
Regards, David W
Below I include my rc.conf, natd.conf, rc.firewall and dmesg output:
---------------------------------------------------------------------------
natd.conf:
# does the order of lines matter ?
# whats the effective difference between
# "interface ep0" and "alias_address 217.bla.bla.bla" ?
# I've tried both (not simultaneously - not allowed) without noticing any
# changed behaviour
interface ep0
unregistered_only
#alias_address 217.bla.bla.bla
use_sockets yes
same_ports yes
# dc
redirect_port tcp 10.0.0.3:411-412 217.bla.bla.bla:411-412
redirect_port udp 10.0.0.3:411-412 217.bla.bla.bla:411-412
# ftp
redirect_port tcp 10.0.0.3:20-21 217.bla.bla.bla:20-21
redirect_port udp 10.0.0.3:20-21 217.bla.bla.bla:20-21
# test
redirect_port tcp 10.0.0.4:1234 217.bla.bla.bla:1234
redirect_port udp 10.0.0.4:1234 217.bla.bla.bla:1234
---------------------------------------------------------------------------
rc.conf:
#!/bin/sh
#
swapfile="NO" # Set to name of swapfile if aux swapfile desired.
### Network configuration sub-section ######################
### Basic network options: ###
hostname="pico.bla.se" # Probably invalid - arbitrary chosen.
tcp_extensions="NO" # Allow RFC1323 & RFC1644 extensions (or NO).
network_interfaces="lo0 ep0 ep1" # List of network interfaces (lo0 is loo
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
ifconfig_ep0="inet 217.bla.bla.bla netmask 255.255.255.0 up"
ifconfig_ep1="inet 10.0.0.1 netmask 255.255.255.128 up"
### Network daemons options: ###
inetd_enable="YES" # Run the network daemon dispatcher (or NO)
inetd_flags="" # Optional flags to inetd
snmpd_enable="NO" # Run the SNMP daemon (or NO)
snmpd_flags="-C -c /etc/snmpd.conf" # Optional flags to snmpd
### Network routing options: ###
defaultrouter="217.bla.bla.bla" # Set to default gateway (or NO).
static_routes="" # Set to static route list (or leave empty).
gateway_enable="YES" # Set to YES if this host will be a gateway.
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"
firewall_quiet="NO"
natd_program="/sbin/natd"
natd_enable="YES"
natd_interface="ep0"
natd_flags="-f /etc/natd.conf"
tcp_drop_synfin="YES"
arpproxy_all="" # replaces obsolete kernel option ARP_PROXYALL.
### Allow local configuration override at the very end here ##
if [ -f /etc/rc.conf.local ]; then
. /etc/rc.conf.local
fi
---------------------------------------------------------------------------
rc.firewall:
#my only addition to the default file:
$fwcmd -f flush
$fwcmd add 500 divert 8668 al from any to any via ep0
# in the "simple"-part: (currently I use "open")
oif="ep0"
onet="217.bla.bla.bla"
omask="255.255.255.0"
oip="217.bla.bla.bla"
---------------------------------------------------------------------------
dmesg:
Copyright (c) 1992-1998 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 2.2.5-STABLE #0: Mon Mar 23 16:22:37 MYT 1998
dinesh@broker.alphaque.com:/usr/src/sys/compile/PICOBSD-N.2800
CPU: i486 DX4 (486-class CPU)
Origin = "GenuineIntel" Id = 0x480 Stepping=0
Features=0x3<FPU,VME>
real memory = 33554432 (32768K bytes)
FreeBSD Kernel Configuration Utility - Version 1.1
Type "help" for help or "visual" to go to the visual
configuration interface (requires MGA/VGA display or
serial terminal capable of displaying ANSI graphics).
config> disable sio0
config> disable sio2
config> disable sio3
config> port lpt0 0x0378
config> port ed0 0x0340
config> irq ed0 4
config> iomem ed0 0x00000000
config> port ed1 0x0320
config> iomem ed1 0x00000000
config> irq ep1 11
config> quit
avail memory = 28262400 (27600K bytes)
Probing for devices on PCI bus 0:
wdc0 <CMD 640B IDE> rev 2 int a irq 14 on pci0:15
chip0 <generic PCI bridge (vendor=1060 device=8881 subclass=0)> rev 1 on pci0:16chip1 <generic PCI bridge (vendor=1060 device=8886 subclass=1)> rev 1 on pci0:18Probing for devices on the ISA bus:
sc0 at 0x60-0x6f irq 1 on motherboard
sc0: VGA mono <16 virtual consoles, flags=0x0>
ed0 not found at 0x340
ed1 not found at 0x320
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
lpt0 at 0x378-0x37f irq 7 on isa
lpt0: Interrupt-driven port
lp0: TCP/IP capable interface
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
wdc0 not found at 0x1f0
wdc1 not found at 0x170
2 3C5x9 board(s) on ISA found at 0x300 0x280
ep0 at 0x300-0x30f irq 10 on isa
ep0: utp[*UTP*] address 00:20:af:93:0d:4d
ep1 at 0x280-0x28f irq 11 on isa
ep1: aui/utp/bnc[*UTP*] address 00:a0:24:70:ab:76
npx0 on motherboard
npx0: INT 16 interface
IP packet filtering initialized, divert enabled, default to accept, logging disabled
rootfs is 2800 Kbyte compiled in MFS
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.30.0206131030400.1464-100000>