From owner-freebsd-questions@FreeBSD.ORG Fri May 23 00:48:12 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 679EC37B401; Fri, 23 May 2003 00:48:12 -0700 (PDT) Received: from mail.dannysplace.net (allxs.xs4all.nl [194.109.223.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 235F643FB1; Fri, 23 May 2003 00:48:11 -0700 (PDT) (envelope-from danny@dannysplace.net) Received: from [192.168.1.3] (helo=localhost) by mail.dannysplace.net with esmtp (Exim 4.12) id 19J7Hc-0002wj-00; Fri, 23 May 2003 09:48:08 +0200 Received: from pr2.ing.nl (pr2.ing.nl [145.221.92.41]) by www.dannysplace.com (Horde) with HTTP for ; Fri, 23 May 2003 09:48:07 +0200 Message-ID: <1053676087.95fbe1caf5dcd@www.dannysplace.com> Date: Fri, 23 May 2003 09:48:07 +0200 From: danny@dannysplace.net To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19J7Hc-0002wj-00*rfOCa1XXKUU* cc: freebsd-questions@freebsd.org Subject: Strange natd problem. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2003 07:48:12 -0000 Hello all, I have a strange problem. At home I have a standard lan adsl setup. LAN 192.168.10.x ---- FreeBSD 4.8 with ipfw and natd ---- ADSL modem ---- Internet. The natd setup here is what you would expect, 1 IP address and several clients. A few specific port redirects for web/mail etc... Now, this week I setup quake on a box sitting at a hosted location. It's running on FreeBSD 4.8 as well. But there is another firewall before it. It looks like this: (4.3.2.1 to 4.3.2.10) Internet --- FreeBSD 4.4 with ipfw and natd --- FreeBSD 4.8 (192.168.1.1) (192.168.1.250) The natd setup here is simple, there are 10 public IP addresses (4.3.2.1 to 4.3.2.10) and a natd config forwarding these to similar internal ip's (4.3.2.1 = 192.168.1.1 and so on...) natd.conf is: interface xl0 same_ports yes punch_fw 1000:500 log_denied yes log_facility security redirect_address 192.168.1.10 4.3.2.10 redirect_address 192.168.1.1 4.3.2.1 redirect_address 192.168.1.2 4.3.2.2 redirect_address 192.168.1.3 4.3.2.3 redirect_address 192.168.1.4 4.3.2.4 redirect_address 192.168.1.5 4.3.2.5 redirect_address 192.168.1.6 4.3.2.6 redirect_address 192.168.1.7 4.3.2.7 redirect_address 192.168.1.8 4.3.2.8 Now, the firwall for the quake server has the following pertainent rules. These are not the real rules, just an example. 100 divert 8668 ip from any to any via xl0 200 allow udp from any to 4.3.2.1 27960 200 allow udp from 4.3.2.1 27960 to any 300 allow ip from any to 4.3.2.1 27960 300 allow ip from 4.3.2.1 27960 to any 65435 allow icmp from any to any 65535 deny ip from any to any Here is the strange bit... rule 100 matches and (re-inserts) rules 200 never match rules 300 match and allow the quake packets through. I've tried the following protocols specifically. tcp,udp,icmp But it will ONLY match when I say "ip" So could it be that the firewall on my home lan does something with natd, then the firewall on the quake servers lan does something *else* to the packets there by screwing them up? Or does quake just use some strange ip protocol?.