From owner-freebsd-questions Wed Oct 10 19:11: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-92-93.knology.net [24.214.92.93]) by hub.freebsd.org (Postfix) with ESMTP id 7510337B40E for ; Wed, 10 Oct 2001 19:10:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.6/8.11.6) with ESMTP id f9B2Atw99386 for ; Wed, 10 Oct 2001 21:10:55 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200110110210.f9B2Atw99386@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: freebsd-questions@FreeBSD.ORG From: David Kelly Subject: Re: IPFW, natd, and one big headache In-reply-to: Message from Louis LeBlanc of "Wed, 10 Oct 2001 21:29:43 EDT." <20011010212942.A1037@acadia.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Wed, 10 Oct 2001 21:10:55 -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Louis LeBlanc writes: > Ok, I'm ready to lose it here. > = > I finally have a firewall that doesn't appear to close anything off, > and I know it opens those things I want opened, like outgoing ping, > traceroute, incoming HTTP, HTTPS, IMAP, SMTP, etc. I take the script > and source it one everything is up and dhclient is set, and it's all > good. What does the above script say about ports 67 and 68? Hint: # allow DHCP stuff ${fwcmd} add pass udp from 24.214.63.26 67 to any 68 in via ${nic= } ${fwcmd} add pass udp from me 68 to 24.214.63.26 67 out via ${nic= } > And Natd. All I get out of that is > Oct 10 21:08:31 acadia natd[396]: failed to write packet back (Permissi= on denied) > in the console log. > = > I have the following in /etc/rc.conf: > natd_program=3D"/sbin/natd" > natd_interface=3D"xl0" > natd_enable=3DYES > natd_flags=3D"-unregistered_only -use_sockets -same_ports" > = > and I have also tried using natd flags set instead to '-f /etc/natd.con= f' > which has: > = > dynamic yes > log no > deny_incoming no > use_sockets yes > same_ports yes > verbose no > interface xl0 > unregistered_only no I suggest adding "-log_facility security" to natd so that both natd and = ipfw report to the same place. Namely /var/log/security. The best way to debug ipfw that I've found is to throw "log" modifiers = at all suspected blocking rules. Is easy to insert a new copy of the = rule with "log" added just before the current rule. = Doesn't hurt anything to have two identical rules in a row. Later for cleanup you can simply delete the debugging log rules. I let my rules autonumber on insert. Steps by 100. So temporary debugging rules are often xx50 or xx90. Easy to spot and remove. No need to reboot to debug your firewall and dhclient. Simply kill = dhclient and start it again with "dhclient xl0" Use "ipfw zero" just before you restart dhclient. Then if you didn't = log the problems, "ipfw -a list" should indicate which rules got hits = since the zero. Then you have an idea where the dhcp packets are = being stopped. -- = David Kelly N4HHE, dkelly@hiwaay.net =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message