From owner-freebsd-questions Thu Aug 1 8:42:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EEED37B400 for ; Thu, 1 Aug 2002 08:42:26 -0700 (PDT) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 115AF43E70 for ; Thu, 1 Aug 2002 08:42:22 -0700 (PDT) (envelope-from lane@joeandlane.com) Received: from user-112urtn.biz.mindspring.com ([66.47.111.183] helo=joeandlane.com) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17aI5g-0004GO-00; Thu, 01 Aug 2002 08:42:16 -0700 Received: from joeandlane.com (localhost [IPv6:::1]) by joeandlane.com (8.12.5/8.12.5) with ESMTP id g71FgBNk005956; Thu, 1 Aug 2002 10:42:11 -0500 (CDT) (envelope-from lane@joeandlane.com) Received: (from nobody@localhost) by joeandlane.com (8.12.5/8.12.5/Submit) id g71FgAdE005955; Thu, 1 Aug 2002 10:42:10 -0500 (CDT) (envelope-from lane@joeandlane.com) Date: Thu, 1 Aug 2002 10:42:10 -0500 (CDT) Message-Id: <200208011542.g71FgAdE005955@joeandlane.com> X-Authentication-Warning: joeandlane.com: nobody set sender to lane@joeandlane.com using -f From: "lane@joeandlane.com" To: "Grant Cooper" , Subject: Re: The inscrutable natd redirect_port X-Mailer: NeoMail 1.25 X-IPAddress: 209.60.15.88 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks for the HOWTO. That's a good resource to keep handy. Unfortunately it hasn't yet helped me to resolved my problem. Although it did cause me to revert back to firewall_type="OPEN" in rc.conf instead of using my own script ... at least until I can determine what is causing this problem. It may be that the ports I'm attempting to use are simply blocked by the ISP. I'll see about reversing ports 21 and 23, since I know both of them are working properly. thanks again lane > I did some reading yesterday from, > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and if you are missing rule > 100 and rule 200, the firewall defaults to a closed policy, you will see > RPC(3) services break during startup. I was just about to test this senerio > myself because I don't know what it means by a "RPC services". If this works > pop me an e-mail. > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > > > ----- Original Message ----- > From: > To: > Sent: Wednesday, July 31, 2002 10:20 PM > Subject: The inscrutable natd redirect_port > > > > I've got two nearly identical FreeBSD boxes, both running 4.6 STABLE, both > > kernels rebuilt within the last week from the same source and same KERNEL > > config file. > > > > Each machine runs identical rc.conf, except for the hostname. > > > > Each machine has two nics, an rl0 for the internal network and ed0 for the > > external network. Both machines act as a gateway for a small internal > network > > that includes an NT machine and an AS/400 for each. Each machine is in a > > workspace separated by about 10 miles. > > > > I can telnet or ftp to each of these machines from the other or from any > > machine that they act as a gateway for. > > > > I mean this setup is identical EXCEPT that natd works on one and not on > the > > other. > > > > here is the information from rc.conf: > > > > gateway_enable="YES" > > firewall_enable="YES" > > firewall_script="/etc/firewall/fwrules" > > natd_enable="YES" > > natd_interface="de0" > > natd_flags="-config /etc/natd.conf" > > > > and natd.conf: > > > > interface de0 > > dynamic yes > > use_sockets yes > > unregistered_only yes > > log yes > > log_denied yes > > #verbose yes > > deny_incoming no > > # send incoming ftp, wins, and mssql to the NT machine > > redirect_port tcp 192.168.1.2:1433 1433 > > redirect_port udp 192.168.1.2:137 137 > > redirect_port tcp 192.168.1.2:137 137 > > redirect_port tcp 192.168.1.2:23 8023 > > redirect_port tcp 192.168.1.2:21 8021 > > > > # send incoming db2, telnet, and ftp and client access to the AS/400 > machine > > redirect_port tcp 192.168.1.4:23 4023 > > redirect_port tcp 192.168.1.4:21 4021 > > redirect_port tcp 192.168.1.4:423 423 > > redirect_port tcp 192.168.1.4:523 523 > > > > and finally the firewall rules: > > > > fwcmd="/sbin/ipfw" > > #make the interface into a macro > > de0="de0" > > rl0="rl0" > > $fwcmd -f flush > > > > $fwcmd add divert natd all from any to any via $de0 > > $fwcmd add pass all from any to any > > > > This setup works fine for one machine. I am able to ftp, telnet, or send > db2 > > or mssql requests to any machine on the network from any machine on either > > network. > > > > HOWEVER .... > > > > None of this works on the other machine. None of the natd redirects, that > is. > > Each request, for instance to "telnet remote_host 8023" is met with > > > > telnet: connect to address 172.172.5.1: Connection refused > > telnet: Unable to connect to remote host (This whether I attempt to > connect > > from the local network, from the 172.172.5.1 host, or from any remote > site) > > > > But "telnet remote_host" and "telnet remote_host 23" work perfectly. > > > > /var/log/alias.log seems to witness the action, but I cannot interpret > that > > file to determine where or why 172.172.5.1 is rejecting the incoming > request. > > > > What steps can I take to track down this failure? > > > > Thanks for reading. > > > > And thanks for your input. > > > > lane holcombe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message