From owner-freebsd-questions  Tue Sep 25 15:58:31 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from magnia.corridor.net (ns.corridor.net [66.100.224.8])
	by hub.freebsd.org (Postfix) with ESMTP id 4B58537B410
	for <freebsd-questions@freebsd.org>; Tue, 25 Sep 2001 15:58:18 -0700 (PDT)
Received: from lightstep.org (unverified [66.100.232.202]) by magnia.corridor.net
 (Vircom SMTPRS 5.0.194) with SMTP id <B0013146625@magnia.corridor.net> for <freebsd-questions@freebsd.org>;
 Tue, 25 Sep 2001 17:57:33 -0500
Received: by lightstep.org (Postfix, from userid 1000)
	id F0366243A3; Tue, 25 Sep 2001 18:00:59 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
	by lightstep.org (Postfix) with ESMTP id C483D16E98
	for <freebsd-questions@FreeBSD.org>; Tue, 25 Sep 2001 18:00:59 -0500 (CDT)
Date: Tue, 25 Sep 2001 18:00:59 -0500 (CDT)
From: Bradley Oedithipus <bradley@lightstep.org>
To: <freebsd-questions@FreeBSD.org>
Subject: natd/ipfw/sshd problem.
Message-ID: <Pine.BSF.4.32.0109251747150.2227-100000@lightstep.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


Here's the problem.
My power went out on saturday, I assume this is when this started.

First of all, i run natd for my subnet, ipfw which restricts access to
various ports, and sshd on port 22.

Okay, on with the evidence.

First of all.  my firewall sets up the divert rule to coincide with natd
to divert packets.
Here is the rule (quite standard for natd use)
00050 divert 8668 ip from any to any via ed0
(ed0 being my external NIC)

Now, when rule 50 is in effect, you cannot connect to my server via ssh
from outside my network, but you CAN connect via ssh from the local server
and the subnet.
When i delete rule 50 (ipfw delete 50):
ssh is available from inside the network, and from the internet.

I have pinned it down to this rule, by flushing ALL rules (since my
default is deny, I add allow ip from any to any) and then trying, and it
works.  Then I add the divert rule, and it doesnt work.

Now, whether or not the divert rule 50 is in effect or not, the netstat
-an |grep 22 shows that sshd IS bound.

'lightstep:/etc # netstat -an |grep 22
tcp4       0      0  *.22                   *.*                    LISTEN'

This is a very strange situation I know.  But I dont like having to turn
off natd (deleting rule 50) in order to login remotely.
Has anyone encountered this before? I sure hope so, or I hope I am making
a very obvious mistake.

Any help would be a appreciated.
Also, if anymore information is needed, please let me know.

Thanks

Bradley Crecelius
bradley@lightstep.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message