From owner-freebsd-questions@FreeBSD.ORG Fri Oct 24 07:50:30 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 000F816A4B3 for ; Fri, 24 Oct 2003 07:50:29 -0700 (PDT) Received: from newtonsecond.com (adsl-63-207-117-158.dsl.snfc21.pacbell.net [63.207.117.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id D39B843FAF for ; Fri, 24 Oct 2003 07:50:28 -0700 (PDT) (envelope-from tristan11@mindspring.com) Received: from [12.43.53.1] (HELO mindspring.com) by newtonsecond.com (CommuniGate Pro SMTP 4.1.1) with ESMTP id 730829; Fri, 24 Oct 2003 07:50:27 -0700 Date: Fri, 24 Oct 2003 07:50:26 -0700 Mime-Version: 1.0 (Apple Message framework v552) To: freebsd-questions@freebsd.org From: Michelle In-Reply-To: <20031024093532.82462.qmail@web20501.mail.yahoo.com> Message-Id: <678D1DBA-0631-11D8-A45F-000393843210@mindspring.com> X-Mailer: Apple Mail (2.552) Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: alhagiep@yahoo.com Subject: Re: nat and ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 14:50:30 -0000 On Friday, October 24, 2003, at 02:35 AM, Alhagie Puye wrote: > Do you have a natd.conf file? What does your rc.conf > file look like? You have to turn on nat for the > packets to be translated. Telling the firewall to send > the packets to natd is one thing, what the happens to > them after that is another. You ARE missing the setup > for natd. > > Check this out: > > http://www.freebsddiary.org/ipfw.php > > Please read this link. I sent you something similar in > my previous reply. And you are still asking the same > question. It is very self-explanatory. yes, I have read that link. i have followed the instructions very carefully. i do have the setup for natd. i have checked and re-checked all my configurations. i have been working with a security engineer who set up our ipfw rules and he has also checked and rechecked the natd and ipfw configuration and rules. i have included both my /etc/natd.conf files and /etc/rc.conf files below. i have also added option IPDIVERT to the kernel and rebuilt the kernel. i'm sorry if my last e-mail was not clear, but this is not the same question because i am now asking why i am able to get out from a client on the subnet with ip 192.168.53.200 when i open up the ipfw rules to allow everything, but am not able to get out when i specify in the ip rules to allow all traffic in and out only for ip 192.168.53.200. if natd was not working properly, how could i get to the outside world from the client using 192.168.53.200 since 192 addresses are not routable outside of our network? with the below rule i can get to websites, ssh, and telnet from a client on the subnet to the outside world: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow from any to any but when i flush the rules and add the following giving access specifically to 192.168.53.200, i can no longer access websites, ssh, or telnet to the outside world: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from 192.168.53.200 to any ipfw add 300 allow all from any to 192.168.53.200 if the first set of ipfw rules is not a way to check that natd is working, please let me know a better way. if there is any other information i need to provide, please let me know. here are the natd.conf and rc.conf files: /etc/natd.conf: interface fxp0 use_sockets yes same_ports yes /etc/rc.conf file: defaultrouter="64.x.x.x" hostname="domain.com" ifconfig_fxp0="inet 64.x.x.x netmask 255.255.255.248" ifconfig_xl0="inet 192.168.53.1 netmask 255.255.255.0" inetd_enable="NO" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" nfs_client_enable="NO" nfs_reserved_port_only="YES" sendmail_enable="NO" sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" usbd_enable="YES" start_vinum="YES" portmap_enable="NO" nfs_server_enable="NO" nfs_client_enable="NO" # syslog stuff syslogd_enable="YES" syslogd_flags="-ss" # process accounting (lastcomm) accounting_enable="YES" # nuke /tmp/* on boot clear_tmp_enable="YES" # don't clobber /etc/motd with default message update_motd="NO" #NATD Stuff natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" gateway_enable="YES" # firewall stuff firewall_enable="YES" firewall_script="/etc/ipfw.conf" firewall_logging="YES" icmp_drop_redirect="YES" #ntp stuff xntpd_enable="YES" xntpd_flags="-g -p /var/run/ntpd.pid" #bind stuff named_enable="YES" named_flags="-u bind -g bind -t /etc/namedb/sandbox" #DHCP stuff ifconfig_xl0="DHCP" > > Cheers, > Alhagie. > > > --- Michelle wrote: >> i have a freebsd server running 4.6.2 with 2 nic >> cards installed one >> for our lan (fxp0) that provides connection to the >> outside world via >> dsl and the other for an internal subnet (xl0). i >> have both natd and >> ipfw configured and running. when on the subnet, i >> can not connect to >> the outside. i tried flushing the firewall rules >> and adding only: >> >> ipfw add 100 divert natd all from any to any via >> fxp0 >> ipfw add 200 allow all from any to any >> >> i am then able to connect from a client on the >> subnet to an outside ip >> address. >> >> then i tried flushing the rules again and adding: >> >> ipfw add 100 divert natd all from any to any via >> fxp0 >> ipfw add 200 allow all from 192.168.53.200 to any >> ipfw add 300 allow all from any to 192.168.53.200 >> >> i don't understand why the above rules would stop >> the client on the >> subnet from making a connection to the outside. is >> there another rule >> i need to add? >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com >