From owner-freebsd-security  Wed Sep 27 22:58:46 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id E814237B424
	for <freebsd-security@freebsd.org>; Wed, 27 Sep 2000 22:58:42 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 27 Sep 2000 22:57:28 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8S5wXg95111;
	Wed, 27 Sep 2000 22:58:33 -0700 (PDT)
	(envelope-from cjc)
Date: Wed, 27 Sep 2000 22:58:32 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: John F Cuzzola <vdrifter@ocis.ocis.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw + natd + Novell
Message-ID: <20000927225832.E81242@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.LNX.4.21.0009262042200.11911-100000@ocis.ocis.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.21.0009262042200.11911-100000@ocis.ocis.net>; from vdrifter@ocis.ocis.net on Tue, Sep 26, 2000 at 08:52:08PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Sep 26, 2000 at 08:52:08PM -0700, John F Cuzzola wrote:
> Hello everyone,
> I have a Novell Server that has been moved from a public ip to a private
> one (192.168.0.6). The 192.168.0.xxx segment gets internet access through
> a FreeBSD box using ipfw/natd. The Novell server needs to be accessable
> from the internet from source addresses 142.42.22.xxx. So I tried to set
> up a NAT for it as follows:
> 
> natd -p 7500 -redirect_address 192.168.0.6 0.0.0.0 -a 207.24.168.5
> 
> ipfw add 10 divert 7500 ip from 142.42.22.0/24 to 207.24.168.5
> ipfw add 20 divert 7500 ip from 207.24.168.5 to 142.42.22.0/24
> 
> So 142.42.22.0/24 should be able to get to the novell server using
> 207.24.168.5 as its ip. Using the Windows Client they can connect and see
> the NDS tree but when they try to log in the connection times-out. I know
> there are some programs that wont work through NAT (like the ones that
> insist on reporting back the private ip address). I was wondering if
> anyone has had experience logging into a Novell Server with NAT. Can it
> be done?

I might be missing it, but I don't see how traffic returning from
192.168.0.6 is ever NATed back to look like the source is 207.24.168.5
from the client's perspective. That is, that first rule catches
packets like,

  142.42.22.a:2040 -> 207.24.168.5:427

And they get translated to something like,

  142.42.22.a:2040 -> 192.168.0.6:427

But then, I don't see where the responses,

  192.168.0.6:427 -> 142.42.22.a:2040

Ever go through NAT again. Shouldn't the second rule be,

s/207.24.168.5/192.168.0.6/

?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message