From owner-freebsd-questions  Thu Jan 27 10:40:52 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from wondermutt.net (host75-157.student.udel.edu [128.175.75.157])
	by hub.freebsd.org (Postfix) with ESMTP id 6FE551568D
	for <freebsd-questions@freebsd.org>; Thu, 27 Jan 2000 10:40:42 -0800 (PST)
	(envelope-from papalia@udel.edu)
Received: from morgaine (morgaine.wondermutt.net [192.168.1.2])
	by wondermutt.net (8.9.3/8.9.3) with SMTP id NAA06221
	for <freebsd-questions@freebsd.org>; Thu, 27 Jan 2000 13:41:51 -0500 (EST)
	(envelope-from papalia@udel.edu)
Message-Id: <4.1.20000127133150.00a77b50@mail.udel.edu>
X-Sender: papalia@mail.udel.edu
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Thu, 27 Jan 2000 13:38:44 -0500
To: freebsd-questions@freebsd.org
From: John <papalia@udel.edu>
Subject: Natd, firewall, and ports closing
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hey all -

I'm stumped on something.  I have natd running. One internal machine
(192.168.x.x) and my freebsd connected to the outside.  The two machines
are connected with a cross-over cat-5 cable.

Problem:

Within my freebsd box, if I try to "dcc chat" another address WITHIN my
freebsd box, the connection fails.  However, all similar connections both
into and out of the box work perfectly.  If I remove the divert line from
my firewall, it works fine though.  netstat -na shows the problem as follows:

tcp        0      0 128.175.75.157.1214   128.175.75.157.57670  SYN_SENT
tcp        0      0 *.57670               *.*                   CLOSED

FreeBSD shut down the port before the connection could be made.

Again, if I remove the DIVERT rule from the firewall, it works fine.  My
ruleset is as follows:

00075    702    	73891 		allow ip from any to any via lo0
00085     85     	5881 		allow ip from 128.175.x.x to 127.0.0.0/8
00100   3257   	366714 		divert 8668 ip from any to any via fxp1
00150 144847 	15260516 	allow ip from any to any via fxp0
00200      0     	0 		deny ip from any to 127.0.0.0/8 via fxp1
65000 115659 	16418959 	allow ip from any to any
65535      0     	0 		deny ip from any to any

Where fxp1 is to the outside, fxp0 is to the inside.  I moved rules 00075
and 00085 up from 00125 and 00135 in hopes of that maybe solving the problem

Even better yet -

tcpdump DOES show the request passing through lo0, so why would the divert
rule be touching it at all?

Thanks in advance,
John





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message