Date: Sun, 4 Nov 2001 21:44:02 -0500 From: "Jason Cribbins" <jasonc@concentric.net> To: "Chan Ling Ling" <llchan@apis.dhl.com> Cc: <questions@freebsd.org> Subject: Re: Unable to get natd/ipfw to work properly Message-ID: <011101c165a3$bb432920$05d85c42@kibserv.org> References: <Pine.BSF.4.21.0111032255140.10083-100000@cody.jharris.com> <001701c1656d$2f97c240$05d85c42@kibserv.org> <001b01c16571$338db7c0$0301a8c0@pascal> <000701c16578$d53fe5a0$05d85c42@kibserv.org> <008201c1657c$7824c3f0$0301a8c0@pascal> <008001c1657d$3a6501a0$05d85c42@kibserv.org> <3BE5D112.7DF65DE8@apis.dhl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks I will add it to my collection and check it out in the morning. As
for now I am too tired to continue this any longer today. Its been almost
30 hours now.
You might be interested to know the natd is kind of working after I
recompiled with IPFIREWALL. But it goes up and down about every 15 minutes.
I have a test machine with a constant ping to my ISPs default gateway
running behind natd and one on a static ip outside natd. The one inside
loses about 7% of the replies while outside its <1%. Usually the packets
are lost all at once then things start back working again. Now I am having
to consider a problem with the hardware or wiring here.
ping statistics for 66.92.216.1:
packets: Sent = 5225, Received = 4816, Lost = 409 (7% loss),
Approx round trip time in milli-seconds:
Minimum = 56ms, Maximum = 3474ms, Average = 217ms
I suspect the lnc0 is my problem since I ran this with the interface
reversed and the only log entries were for lnc0 both time. This is an
onboard device so I am unsure how I will proceed.
Thanks for all the others who jumped in and helped. I can't reply to
everyone but thanks anyhow. I am farther along than I have ever been so
far.
----- Original Message -----
From: "Chan Ling Ling" <llchan@apis.dhl.com>
To: "Jason Cribbins" <jasonc@concentric.net>
Sent: Sunday, November 04, 2001 6:36 PM
Subject: Re: Unable to get natd/ipfw to work properly
> Hi, Jason,
>
> do try www.freebsd-howto.com ... there is a good reference site for
FreeBSD
> firewall.
>
> Regards,
> Ling Ling
>
> Jason Cribbins wrote:
>
> > I am using IPDIVERT (that was the first recompile of the kernel). But
that
> > didn't solve the problem. Now I am recompiling a new kernel with the
usual
> > GENERIC options as well as IPDIVERT and IPFIREWALL. But the verdict of
that
> > compile won't be known for hours since this is a rather slow box.
> >
> > After reading the message below I am not sure where one would get the
idea I
> > was not wanting to use IPDIVERT.
> >
> > See MYKERN way below to see the options I was using on the first
compile.
> >
> > ----- Original Message -----
> > From: "Pascal Zoutendijk" <p_zoutendijk@hetnet.nl>
> > To: "Jason Cribbins" <jasonc@concentric.net>
> > Cc: <freebsd-questions@freebsd.org>
> > Sent: Sunday, November 04, 2001 4:59 PM
> > Subject: Re: Unable to get natd/ipfw to work properly
> >
> > > Jason,
> > >
> > > I don't know why you shouldn't want to use IPDIVERT, as far as I know
> > > (correct me if I'm wrong please) you need it to get NAT to work.
> > >
> > > There are a lot of ipfw rulesets available on the internet, just
search on
> > > google for ruleset ipfw freebsd and it shoulg give you enough
different
> > > sample sets to get you up and running (or crazy ;-)
> > >
> > > www.mostgraveconcern.com/freebsd has a nice tutorial on how to set up
a
> > bsd
> > > firewall on a cable-connected machine.
> > >
> > > Regards,
> > >
> > > Pascal Zoutendijk
> > > TBWA \ IT
> > >
> > > ----- Original Message -----
> > > From: "Jason Cribbins" <jasonc@concentric.net>
> > > To: "pasca" <p_zoutendijk@hetnet.nl>
> > > Cc: <questions@freebsd.org>
> > > Sent: Sunday, November 04, 2001 10:36 PM
> > > Subject: Re: Unable to get natd/ipfw to work properly
> > >
> > >
> > > > Thanks
> > > > I thought I read that IPFIREWALL was built into the GENERIC kernel.
I
> > can
> > > > add rules such as:
> > > > ipfw add all from any to any
> > > > Just nothing that uses divert.
> > > >
> > > > Anyhow I will restart the 4 hour process that is recompile another
> > kernel
> > > on
> > > > this old machine.
> > > >
> > > > Thanks Again
> > > >
> > > > ----- Original Message -----
> > > > From: "pasca" <p_zoutendijk@hetnet.nl>
> > > > To: "Jason Cribbins" <jasonc@concentric.net>
> > > > Cc: <questions@freebsd.org>
> > > > Sent: Sunday, November 04, 2001 3:41 PM
> > > > Subject: Re: Unable to get natd/ipfw to work properly
> > > >
> > > >
> > > > > as far as I can see you forgot to include your firewall in your
> > > kernel...
> > > > >
> > > > > add:
> > > > > options IPFIREWALL
> > > > > options IPFIREWALL_VERBOSE
> > > > > options IPFIREWALL_VERBOSE_LIMIT=20
> > > > >
> > > > > to your firewall config file en recompile.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Pascal Zoutendijk
> > > > > TBWA \ IT
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Jason Cribbins" <jasonc@concentric.net>
> > > > > To: "Nick Rogness" <nick@rogness.net>
> > > > > Cc: <questions@FreeBSD.ORG>
> > > > > Sent: Sunday, November 04, 2001 9:13 PM
> > > > > Subject: Re: Unable to get natd/ipfw to work properly
> > > > >
> > > > >
> > > > > > I rebuilt the kernel using the directions found on
> > > > > >
> > > > >
> > > >
> > >
> >
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html
> > > > > > using the "traditional" method since the "new" method wouldn't
work
> > > > > > correctly.
> > > > > > I have confirmed the new kernel ident is displayed upon bootup.
> > > > > >
> > > > > > Now I am back top this again
> > > > > > IP packet filtering initialized, divert disabled, rule-based
> > > forwarding
> > > > > > disabled
> > > > > > , default to deny, logging disabled
> > > > > >
> > > > > > and this as well.
> > > > > > 7:58pm mail:~ # ipfw add divert natd all from any to any via
lnc0
> > > > > > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> > > > > > 7:58pm mail:~ #
> > > > > >
> > > > > > What am I missing here?
> > > > > >
> > > > > > Here are the config file that may apply:
> > > > > > # - MYKERN - BEGIN - #
> > > > > > machine i386
> > > > > > cpu I586_CPU
> > > > > > ident COMPAQ-KERN
> > > > > > maxusers 32
> > > > > > #makeoptions DEBUG=-g #Build kernel with
gdb(1)
> > > debug
> > > > > > symbols
> > > > > > options IPDIVERT #Requited by natd
> > > > > > options MATH_EMULATE #Support for x87
emulation
> > > > > > options INET #InterNETworking
> > > > > > #options INET6 #IPv6 communications
> > protocols
> > > > > > options FFS #Berkeley Fast
Filesystem
> > > > > > options FFS_ROOT #FFS usable as root
device
> > > [keep
> > > > > > this!]
> > > > > > options SOFTUPDATES #Enable FFS soft updates
> > > support
> > > > > > #options MFS #Memory Filesystem
> > > > > > #options MD_ROOT #MD is a potential root
> > device
> > > > > > #options NFS #Network Filesystem
> > > > > > #options NFS_ROOT #NFS usable as root
device,
> > > NFS
> > > > > > required
> > > > > > #options MSDOSFS #MSDOS Filesystem
> > > > > > #options CD9660 #ISO 9660 Filesystem
> > > > > > #options CD9660_ROOT #CD-ROM usable as root,
> > CD9660
> > > > > > required
> > > > > > options PROCFS #Process filesystem
> > > > > > options COMPAT_43 #Compatible with BSD 4.3
> > [KEEP
> > > > > > THIS!]
> > > > > > options SCSI_DELAY=15000 #Delay (in ms) before
> > probing
> > > > SCSI
> > > > > > options UCONSOLE #Allow users to grab the
> > > console
> > > > > > options USERCONFIG #boot -c editor
> > > > > > options VISUAL_USERCONFIG #visual boot -c editor
> > > > > > options KTRACE #ktrace(1) support
> > > > > > #options SYSVSHM #SYSV-style shared
memory
> > > > > > #options SYSVMSG #SYSV-style message
queues
> > > > > > #options SYSVSEM #SYSV-style semaphores
> > > > > > options P1003_1B #Posix P1003_1B
real-time
> > > > > extensions
> > > > > > options _KPOSIX_PRIORITY_SCHEDULING
> > > > > > options ICMP_BANDLIM #Rate limit bad replies
> > > > > > options KBD_INSTALL_CDEV # install a CDEV entry
in
> > /dev
> > > > > >
> > > > > > # To make an SMP kernel, the next two are needed
> > > > > > #options SMP # Symmetric
MultiProcessor
> > > > Kernel
> > > > > > #options APIC_IO # Symmetric (APIC) I/O
> > > > > > # - MYKERN - END - #
> > > > > > The rest is devices and all devices for INET are working fine
> > > > > >
> > > > > > # - /etc/rc.conf - BEGIN - #
> > > > > > # NAT Settings
> > > > > > gateway_enable="YES"
> > > > > > natd_enable="YES"
> > > > > > natd_interface="lnc0"
> > > > > > natd_flags="-f /etc/local/etc/natd.cf"
> > > > > > firewall_enable="YES"
> > > > > > firewall_type="OPEN"
> > > > > > # - /etc/rc.conf - END - #
> > > > > >
> > > > > > # - /usr/local/etc/natd.cf - BEGIN - #
> > > > > > log yes
> > > > > > use_sockets no
> > > > > > same_ports yes
> > > > > > interface lnc0
> > > > > > # - /usr/local/etc/natd.cf - END - #
> > > > > >
> > > > > > # - ifconfig - BEGIN - #
> > > > > > lnc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu
1500
> > > > > > inet 66.92.216.6 netmask 0xffffff00 broadcast
66.92.216.255
> > > > > > ether 00:80:5f:f4:10:42
> > > > > > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > > > > inet 192.168.1.1 netmask 0xffffff00 broadcast
192.168.1.255
> > > > > > ether 00:02:2a:b0:6f:0e
> > > > > > media: autoselect (none) status: active
> > > > > > supported media: autoselect 100baseTX <full-duplex>
> > 100baseTX
> > > > > > 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
> > > > > > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> > > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> > > > > > inet 127.0.0.1 netmask 0xff000000
> > > > > > # - ifconfig - END - #
> > > > > >
> > > > > > Unsure what else you may need? Let me know. I have one DSL
line
> > down
> > > > and
> > > > > > this is a temporary fix for what may be a long term outage.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Nick Rogness" <nick@rogness.net>
> > > > > > To: "Jason Cribbins" <jasonc@concentric.net>
> > > > > > Cc: <questions@FreeBSD.ORG>
> > > > > > Sent: Sunday, November 04, 2001 12:13 AM
> > > > > > Subject: Re: Unable to get natd/ipfw to work properly
> > > > > >
> > > > > >
> > > > > > > On Sat, 3 Nov 2001, Jason Cribbins wrote:
> > > > > > >
> > > > > > > > Can someone help me past this error I am getting when trying
to
> > > use
> > > > > > > > natd and ipfw
> > > > > > >
> > > > > > > > Nov 4 04:24:33 mail /kernel: IP packet filtering
initialized,
> > > > > > > >divert disabled, rule-based forwarding disabled, default to
deny,
> > > > > logging
> > > > > > > ^^^^^^^^^^^^^^^
> > > > > > >
> > > > > > > This is your problem, you need to build a kernel with:
> > > > > > >
> > > > > > > options IPDIVERT
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Nick Rogness <nick@rogness.net>
> > > > > > > - Keep on Routing in a Free World...
> > > > > > > "FreeBSD: The Power to Serve!"
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > > > with "unsubscribe freebsd-questions" in the body of the message
> > > > >
> > > > >
> > > >
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-questions" in the body of the message
> > >
> > >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011101c165a3$bb432920$05d85c42>