From owner-freebsd-questions Thu Oct 11 19:10:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-92-93.knology.net [24.214.92.93]) by hub.freebsd.org (Postfix) with ESMTP id B3D0C37B401 for ; Thu, 11 Oct 2001 19:10:06 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.6/8.11.6) with ESMTP id f9C2A4w07976; Thu, 11 Oct 2001 21:10:04 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200110120210.f9C2A4w07976@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: freebsd-questions@FreeBSD.ORG Cc: Louis LeBlanc From: David Kelly Subject: Re: IPFW, natd, and one big headache In-reply-to: Message from Louis LeBlanc of "Thu, 11 Oct 2001 10:10:17 EDT." <20011011101016.A2983@acadia.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Thu, 11 Oct 2001 21:10:04 -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Louis LeBlanc writes: > On 10/11/01 11:08 AM, Roger Merritt sat at the `puter and typed: > > At 10:56 PM 10/10/01 -0400, you wrote: > > >On 10/10/01 09:10 PM, David Kelly sat at the `puter and typed: > > >> [. . .] > > > > = > > David's suggestions are good, and I'm going to try to preserve that e= -mail > > for future guidance, but let me suggest another resource: = > > > = > Yes, I'd have to say it was helpful, but I'm confused about the > rule numbering. I've been having to count the rules out to put in the > whole number. From David's message, I had assumed that a xx50 format > would automatically order the rule at a step of 50. Doesn't look that > way. Oh well. It'd be nice . . . Don't count. Use "ipfw list" to see what current rules are in place. Then if you suspect the one numbered 1600 then, and right then, at the keyboard type the ipfw command to insert a clone of that rule (you have to retype it) at 1550. But this time add the "log" modifier. > Anyway, I tried a slightly modified version of Dan O'Connor's example > at mostgraveconcern.com, which I swear hosed my connection before, and > it came up fine this time. No nat still, I'm getting a > failed to write packet back (Permission denied) > error from natd in /var/log/security. OK, you now have natd writing to the security syslog channel, same as ipfw defaults. If the ipfw rule which blocked the re-written natd packet had "log" then both instances would be on one line after the other (or very close if you have a very busy host) and you could see both sides of the problem. The natd'd packets which are being blocked are blocked after your = divert rule. -- = David Kelly N4HHE, dkelly@hiwaay.net =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message