From owner-freebsd-questions Thu Jul 6 23:16:58 2000 Delivered-To: freebsd-questions@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 16AF837B51E for ; Thu, 6 Jul 2000 23:16:54 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0691.cvx20-bradley.dialup.earthlink.net [209.179.252.181]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA03308; Thu, 6 Jul 2000 23:16:50 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id XAA00991; Thu, 6 Jul 2000 23:15:16 -0700 (PDT) Date: Thu, 6 Jul 2000 23:15:15 -0700 From: "Crist J. Clark" To: Jens Sauer Cc: RaymundoVega@home.com, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW-question Message-ID: <20000706231515.D682@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <20000707021948.E442337BCF1@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000707021948.E442337BCF1@hub.freebsd.org>; from pirol9999@gmx.net on Fri, Jul 07, 2000 at 04:21:30AM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Jul 07, 2000 at 04:21:30AM +0200, Jens Sauer wrote: > > Jens Sauer wrote: > >> > >> Hi all, > >> > >> i am using ipfw for the very first time and have the following problem: > >> > >> i configured my kernel with FIREWALL- and IPDIVERT-support fot NATD, > >> because of my private-address-clients. > >> > >> my rc.conf looks that way: > >> > >> ... > >> **ISDN-things** > >> ... > >> natd_enable="YES" > >> natd_interface="isp0" > >> natd_flags="-dynamic" > >> firewall_enable="YES" > >> gateway_enable="YES" > >> > >> my isdn-interface ISP0 is working fine, when i ping the internet from > >> the firewall, it dials, all ok. > >> > >> but when i traceroute into the internet from a LAN-client (192.168.0.x), > >> the isdn-card on the firewall is successfully dialing (interface is up), > >> but the packets are only going up to the network-card on the firewall, > >> then i get a timeout. > >> > >> I configured IPFW like that: > >> > >> ipfw -f flush > >> ipfw add pass all from any to any > >> ipfw add divert natd all from any to any via isp0 > > > > > I think the ipfw divert must go before the pass line > > > raymundo > > I have tried that too, no change. > I forgot to mention the entry "firewall_script="/etc/firewall/mine" in > rc.conf, where "mine" ran the above ipfw-commands. > I tried also firewall_type="open" (but the rc.firewall-script > is running the same commands, when configured as "open") > > thanks anyway for your help, i will try further Those last two definately MUST be switched in order for natd(8) to work. If you tcpdump on each interface of the gateway when that internal machine is trying to traceroute out, what do you see? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message