Date: Thu, 30 Jan 2003 08:50:09 -0500 From: "JoeB" <barbish@a1poweruser.com> To: "Redmond Militante" <r-militante@northwestern.edu>, <freebsd-questions@freebsd.org> Subject: RE: another go at natd Message-ID: <MIEPLLIBMLEEABPDBIEGKENJDEAA.barbish@a1poweruser.com> In-Reply-To: <20030130032743.GA30748@darkpossum>
next in thread | previous in thread | raw e-mail | index | archive | help
You have just fallen onto the unpublished secret that IPFW / NATD does not work with keep-state rules. If you use user ppp -nat so the NAT function is done outside of IPFW, then IPFW keep-state rules will function as documented. For true keep-state protection you are far better off using IPFILTER / IPNAT. Much much simpler to configure and use. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond Militante Sent: Wednesday, January 29, 2003 10:28 PM To: freebsd-questions@freebsd.org Subject: another go at natd hi all this is a followup to an email i sent out to the list a week or so ago. i was having trouble getting the following natd setup to work: -----------------------snip-------------------------- two machines - one has two nics, one has one nic. i'd like to set up the machine with two nics as a gateway/natd box, and place the second machine behind it. gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway machine's /etc/rc.conf: defaultrouter="129.x.x.1" hostname="enquirer.medill.northwestern.edu" ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="OPEN" natd_enable="YES" natd_interface="xl0" natd_flags="" second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" 'ipfw list' on the gateway machine gives me: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any i'm following the instructions in the handbook http://www.freebsd.org/doc/en_US.IS...dbook/natd.html ----------------------------snip------------------------- -turns out my setup above was exactly right. i was informed by various members of the list that my original problem was that i was running a connection from the client machine directly to the internal nic on the gateway box, and all i needed to do was to run everything through a hub to get it to work. so, i'm nat'ing. i'm redirecting packets to my internal lan on the gateway box. i guess my question to the list would be: is a vanilla natd setup like this enough? today, i tried changing firewall_type to '/etc/ipfw.rules' instead of "OPEN", it's been problematic. i'm having trouble getting the following /etc/ipfw.rules file working with my nat setup: add 00100 allow ip from any to any via lo0 add 00200 deny ip from any to 127.0.0.0/8 add 00300 check-state add 00301 allow tcp from 129.x.x.20 to any in setup keep-state add 00302 allow tcp from 10.0.0.2 to any in setup keep-state #allow tcp in for ftp,ssh, smtp, httpd add 00304 allow tcp from any to any 21 in setup keep-state add 00305 allow tcp from any to any 22 in setup keep-state add 00306 allow tcp from any to any 25 in setup keep-state add 00307 allow tcp from any to any 80 in setup keep-state #allow tcp in for webmin port add 00308 allow tcp from any to any 10000 in setup keep-state #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out setup keep-state #allow udp in for gateway for DNS add 00400 allow udp from 129.105.49.1 to any in recv xl0 add 00401 allow udp from 129.x.x.20 to any in recv xl0 add 00402 allow udp from 10.0.0.2 to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out #allow some icmp types (codes not supported) ##########allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##########allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##########allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##########allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any sorry, this is long winded. any comments on how to get the above rules working with my nat setup, or if these measures are even necessary would be greatly appreciated. thanks redmond To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKENJDEAA.barbish>