From owner-freebsd-questions Mon Apr 15 0:10:39 2002 Delivered-To: freebsd-questions@freebsd.org Received: from dns.perimeter.co.za (dns.perimeter.co.za [196.25.164.254]) by hub.freebsd.org (Postfix) with ESMTP id 062D637B416 for ; Mon, 15 Apr 2002 00:10:34 -0700 (PDT) Received: from PATRICK (loopback.mipjhb [209.212.102.245] (may be forged)) by dns.perimeter.co.za (8.11.1/8.11.1) with SMTP id g3F7AQL70380; Mon, 15 Apr 2002 09:10:26 +0200 (SAST) (envelope-from bsd@perimeter.co.za) Message-ID: <007f01c1e44c$56f579a0$b50d030a@PATRICK> From: "Patrick O'Reilly" To: "Srinivasa Kanduru" , References: <20020415031109.32125.qmail@web10004.mail.yahoo.com> Subject: Re: NAT problem Date: Mon, 15 Apr 2002 09:08:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Srinivasa Kanduru" > Hi, > > Any session can be initiated from private net to say > http request to yahoo, all the packets are translated > to a different port range on the NAT gateway on the > way out, but when the response arrives to the gateway, > reverse translation doesn't happen so a reset is sent > back to yahoo. > > Port translation is supposed to happen both ways and I > am not sure why reverse translation doesn't happen. Sri, the answer to your question is staring you in face :-) See your config: > > My Configuration: > > # ipfw list > 00050 divert 8668 ip from 192.168.0.0/16 to any via > dc0 > 00100 allow ip from any to any via lo0 > 00200 allow ip from any to any via dc0 > 65535 allow ip from any to any > You are diverting outgoing packets (192.168.0.0 to any) to natd, but you are not diverting the incoming packets. So natd does not have the opportunity to do the "reverse translation". Try adding something like this to your ipfw ruleset: 00050 divert 8668 ip from any to any via dc0 In fact, the above rule is the default with an "OPEN" firewall, which is what you are running, so perhaps you modified rc.firewall yourself, and broke the divert rule in the process? HTH. Regards, Patrick O'Reilly. ___ _ __ / _ )__ __ (_)_ __ ___ _/ /____ __ / __/ -_) _) / ~ ) -_), ,-/ -_) _) /_/ \__/_//_/_/~/_/\__/ \__/\__/_/ http://www.perimeter.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message