From owner-freebsd-net Thu Nov 8 14: 5:38 2001 Delivered-To: freebsd-net@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id D22D037B41A for ; Thu, 8 Nov 2001 14:05:33 -0800 (PST) Received: from dialup-209.245.128.79.dial1.sanjose1.level3.net ([209.245.128.79] helo=blossom.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 161xIc-0001K2-00; Thu, 08 Nov 2001 14:05:29 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA8M3s511667; Thu, 8 Nov 2001 14:03:54 -0800 (PST) (envelope-from cjc) Date: Thu, 8 Nov 2001 14:03:54 -0800 From: "Crist J. Clark" To: Michael Loftis Cc: Michael Loftis , freebsd-net@FreeBSD.ORG Subject: Re: natd behaviour. Message-ID: <20011108140354.I51134@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3BEA89B3.B88C5048@wgops.com> <20011108123917.F51134@blossom.cjclark.org> <3BEAFB9D.87AB5EA8@activemessage.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BEAFB9D.87AB5EA8@activemessage.com>; from mike@activemessage.com on Thu, Nov 08, 2001 at 01:39:41PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 08, 2001 at 01:39:41PM -0800, Michael Loftis wrote: > "Crist J. Clark" wrote: > > On Thu, Nov 08, 2001 at 05:33:39AM -0800, Michael Loftis wrote: > > > I'm running natd and I need to change it's behaviour slightly. it seems > > > that if it doesn't find a redirect_address match it'll drop connection > > > requests for that address, so putting it in a simplest-case divert from > > > any to any type of ipfw rulle severly breaks things. What I need it to > > > do is pass those through unmodified. > > > > > > Can I get it to do this or am I going to have to get specific with my > > > ipfw rules? > > > > If I understand what you are saying, it should be doing this > > already. That is, natd(8) passes through anything it does not modify > > untouched. It does not drop (any normal) packets. > > already established sesions transit fine, but new sessions (specifically what > I'm inerested in are new sessions to the local machine) to anything other than > the configured redirect_* stanzas get dropped. ipfw is not the culprit, natd > in verbose mode makes note of the fact that it is dropping these packets. Could we see this? > BAsically the only problem I'm having is with setup (SYN set apparently) > packets sent through natd, if they don't match up witha redirect rule they > get silently dropped. I thought you just said it was saying it was doing this in verbose mode? > Don't say thats not it's behavior, because that is precisely what it is doing. > > my natd config is as follows... > > unregistered_only > same_ports > dynamic > interface vlan5 > > redirect_address 192.168.0.2 64.71.178.211 > > the only active ipfw rule is as follows > add divert natd all from any to any via vlan5 > > Topology is simple, external on vlan5 interface (physically fxp0) and internal > on vlan0 interface (physically fxp1) -- traffic transits fine the upstream > swithc fully supports vlans via 802.1Q and I have not yet identified any > problems there (traffic passes to and from the host and itnerfaces just as > configured). So the vlan ifaces are acting just like a normal ethernet dev. > It's natd thats being funkified. Might be some weird vlan(4)-natd(8) interaction, but I can't say. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message