From owner-freebsd-questions  Wed Jul 31 21:45:24 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E1E537B400
	for <freebsd-questions@freebsd.org>; Wed, 31 Jul 2002 21:45:19 -0700 (PDT)
Received: from mail.nucleus.com (mail1.nucleus.com [207.34.101.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BB67343E5E
	for <freebsd-questions@freebsd.org>; Wed, 31 Jul 2002 21:45:18 -0700 (PDT)
	(envelope-from grant.cooper@nucleus.com)
Received: from TCOOPER (unverified [205.206.254.42]) by mail.nucleus.com
 (Vircom SMTPRS 1.4.232) with SMTP id <B0058817967@mail.nucleus.com>;
 Wed, 31 Jul 2002 22:45:18 -0600
Message-ID: <004f01c23916$9d8fdcb0$2afececd@TCOOPER>
From: "Grant Cooper" <grant.cooper@nucleus.com>
To: <lane@joeandlane.com>, <freebsd-questions@freebsd.org>
References: <200208010420.g714KOoB002082@joeandlane.com>
Subject: Re: The inscrutable natd redirect_port
Date: Wed, 31 Jul 2002 22:47:47 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I did some reading yesterday from,
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and if you are missing rule
100 and rule 200, the firewall defaults to a closed policy, you will see
RPC(3) services break during startup. I was just about to test this senerio
myself because I don't know what it means by a "RPC services". If this works
pop me an e-mail.

${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8


----- Original Message -----
From: <lane@joeandlane.com>
To: <freebsd-questions@freebsd.org>
Sent: Wednesday, July 31, 2002 10:20 PM
Subject: The inscrutable natd redirect_port


> I've got two nearly identical FreeBSD boxes, both running 4.6 STABLE, both
> kernels rebuilt within the last week from the same source and same KERNEL
> config file.
>
> Each machine runs identical rc.conf, except for the hostname.
>
> Each machine has two nics, an rl0 for the internal network and ed0 for the
> external network.  Both machines act as a gateway for a small internal
network
> that includes an NT machine and an AS/400 for each.  Each machine is in a
> workspace separated by about 10 miles.
>
> I can telnet or ftp to each of these machines from the other or from any
> machine that they act as a gateway for.
>
> I mean this setup is identical EXCEPT that natd works on one and not on
the
> other.
>
> here is the information from rc.conf:
>
>  gateway_enable="YES"
>  firewall_enable="YES"
>  firewall_script="/etc/firewall/fwrules"
>  natd_enable="YES"
>  natd_interface="de0"
>  natd_flags="-config /etc/natd.conf"
>
> and natd.conf:
>
>  interface de0
>  dynamic yes
>  use_sockets yes
>  unregistered_only yes
>  log yes
>  log_denied yes
>  #verbose yes
>  deny_incoming no
>  # send incoming ftp, wins, and mssql to the NT machine
>  redirect_port tcp 192.168.1.2:1433 1433
>  redirect_port udp 192.168.1.2:137 137
>  redirect_port tcp 192.168.1.2:137 137
>  redirect_port tcp 192.168.1.2:23 8023
>  redirect_port tcp 192.168.1.2:21 8021
>
>  # send incoming db2, telnet, and ftp and client access to the AS/400
machine
>  redirect_port tcp 192.168.1.4:23 4023
>  redirect_port tcp 192.168.1.4:21 4021
>  redirect_port tcp 192.168.1.4:423 423
>  redirect_port tcp 192.168.1.4:523 523
>
> and finally the firewall rules:
>
>     fwcmd="/sbin/ipfw"
>     #make the interface into a macro
>     de0="de0"
>     rl0="rl0"
>     $fwcmd -f flush
>
>     $fwcmd add divert natd all from any to any via $de0
>     $fwcmd add pass all from any to any
>
> This setup works fine for one machine.  I am able to ftp, telnet, or send
db2
> or mssql requests to any machine on the network from any machine on either
> network.
>
> HOWEVER ....
>
> None of this works on the other machine.  None of the natd redirects, that
is.
> Each request, for instance to "telnet remote_host 8023" is met with
>
> telnet: connect to address 172.172.5.1: Connection refused
> telnet: Unable to connect to remote host  (This whether I attempt to
connect
> from the local network, from the 172.172.5.1 host, or from any remote
site)
>
> But "telnet remote_host" and "telnet remote_host 23" work perfectly.
>
> /var/log/alias.log seems to witness the action, but I cannot interpret
that
> file to determine where or why 172.172.5.1 is rejecting the incoming
request.
>
> What steps can I take to track down this failure?
>
> Thanks for reading.
>
> And thanks for your input.
>
> lane holcombe
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message