From owner-freebsd-questions@FreeBSD.ORG  Fri Jun  2 23:14:53 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89E4A16A421
	for <freebsd-questions@freebsd.org>;
	Fri,  2 Jun 2006 23:14:53 +0000 (UTC)
	(envelope-from terrio@hal.rescomp.berkeley.edu)
Received: from rescomp.berkeley.edu (keyserver.Rescomp.Berkeley.EDU
	[169.229.70.167])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6248F43D45
	for <freebsd-questions@freebsd.org>;
	Fri,  2 Jun 2006 23:14:53 +0000 (GMT)
	(envelope-from terrio@hal.rescomp.berkeley.edu)
Received: by rescomp.berkeley.edu (Postfix, from userid 1232)
	id 426805B770; Fri,  2 Jun 2006 16:14:51 -0700 (PDT)
Date: Fri, 2 Jun 2006 16:14:51 -0700
From: Devin Heckman <terrio@rescomp.berkeley.edu>
To: freebsd-questions@freebsd.org
Message-ID: <20060602231451.GA18733@rescomp.berkeley.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Subject: IPSec, ipfw, and natd
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2006 23:14:53 -0000

Hi,

I recently tried to set up a computer to act as a NAT using FreeBSD 6.1. ipfw
functions as it should, as well as IPSec, but I've run into some problems when
setting up the NAT. I have two computers behind it, both of which do not need to
speak IPSec (and aren't configured to do so). The NAT computer should speak
IPSec with one other computer, from which it mounts home directories via NFS.

When I enable natd, ipfw, and IPSec, the connection to the computer with which I
speak IPSec breaks, but the NAT functions properly (can ping everything except
the IPSec-speaking NFS server).

My ipfw rules look like this:

$cmd 0001 allow udp from any to any isakmp
$cmd 0002 allow esp from $ipsec_servers to me
$cmd 0003 allow ah from $ipsec_servers to me
$cmd 0004 divert natd all from any to any via sis0

...

$cmd 0015 allow icmp from any to any
$cmd 9900 allow all from me to any
$cmd 9910 allow all from any to any established
$cmd 9999 deny log all from any to me

And natd.conf, which is called when natd is started in the rc scripts, looks
like this:

port 8668
interface sis0
log yes

Does anyone have any experience with problems such as this?

Feel free to ask for anything else that may clarify the problem.

Thanks,

-- 
Devin Heckman