Date: Sun, 7 Jul 2002 19:26:53 -0500 From: Redmond Militante <r-militante@northwestern.edu> To: Corey Snow <corey@snowpoint.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: stuck on ipfw/natd config Message-ID: <20020707192653.A363@darkpossum> In-Reply-To: <3D2742F0.18763.65B7745@localhost>; from corey@snowpoint.com on Sat, Jul 06, 2002 at 07:20:16PM -0700 References: <3D27157D.31618.5A9F2A0@localhost>; <20020706183641.C493@darkpossum> <3D2742F0.18763.65B7745@localhost>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello again i've spent the past 48 hrs reinstalling/trying different internet howto's and still no dice. for the record, the first machine has 2 nics, the xl0 is hooked up to a t100 line in the wall, the 2nd is hooked up to a netgear en104tp hublet. the second machine is hooked up to the hublet. i was thinking that it may be hardware related but i've tried having the hublet set to both 'normal' and 'uplink', and stil no dice. i've also tried hooking up the ethernet cable straight from xl1 (internal nic on the gateway machine) to the nic on the webserver. nothing. i can't retreive any webpages off this machine from a third computer. i also can't bring up any webpages on the webserver when it's hooked up to the gateway... On Sat, Jul 06, 2002 at 07:20:16PM -0700, Corey Snow expatiated with great perspicuity: > On 6 Jul 2002, at 18:36, Redmond Militante wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > hi > > Hey there again. :) > > > well, i want to stick the webserver behind the nat, and still be able to serve up pages to the outside world, as well as sit at the machine and surf the internet on it, as usual. i want machines outside the internal network to be able to view webpages that resolve to the webserver's url &/or > proper ip address. so yeah, i want the nat to be invisible to the outside world regardless or which direction the traffic's going to flow... sorry i didn't make myself clear. > > > > OK, that's a pretty standard configuration. However, you're possibly > confusing NAT with ipfw. They're related and work together, but they > have to be handled seperately. > > For a firewall of type "OPEN" with natd running, you should probably > have a set of firewall rules that look like this (replace <extif> > with your external interface: > > #standard stuff, allow loopback and suchlike > add allow ip from any to any via lo0 > add deny ip from any to 127.0.0.0/8 > add deny ip from 127.0.0.0/8 to any i've checked and these are enabled > > #Divert all traffic to natd > > add divert natd ip from any to any via <extif> > add allow ip from any to any so are these. mine is 'add divert natd ip from any to any via xl0 (external nic on the gateway) > > Now, this minimal set of firewall rules will allow any system behind > your natd firewall to any system reachable via your external > interface. Usually, the external interface is the one that has a > "public" IP address, one that you get from your ISP. > > However, this doesn't get your webserver responding to requests, > because the natd daemon is intended primarily to alllow a group of > systems with non-routable (private or RFC1918) addresses to share a > single public IP. Basically, if a connection is made by a system > behind the firewall, the firewall knows which system made it and can > send the packets coming back in response to that request to the > original requestor, properly translated, of course. But requests > coming from the outside to the public IP of the firewall are dropped > if the firewall doesn't know what to do with them- unless you tell > it, there's no way for it to know what system to deliver incoming > requests to. > > [WARNING! DANGER, WILL ROBINSON! This is a pretty unsecure > configuration. Any machine behind the firewall can go outbound using > the firewall with no restriction, and there is a possibility (not > high, but there) that someone could figure out how to go back > through, because the firewall is of type "OPEN". After you get > everything working to your satisfaction and are more comfortable with > firewall rulesets and natd, I'd recommend changing your firewall type > and/or locking down your rules a bit more.] > > If you want the public IP address to also be able to provide access > to your web server, you'll need to add the following to the > natd_flags section of /etc/rc.conf or pass it on the commandline used > to start the natd daemon, if you're starting it from > /usr/local/etc/rc.d: > > natd_flags="-redirect_address 192.168.0.3:80 1.2.3.4:80" > i then added this line to my /etc/rc.conf - so now the line reads natd_flags="-redirect_address x.x.x.x:80 1.2.3.4:80" x.x.x.x=ip of my webserver machine 1.2.3.4 is the ip of xl0 (the dhcp address assigned by my isp) one other thing - we're in a university environment. there are other gateways and routers on the network. i don't know if that has any bearing on what i'm trying to do since i'm only trying to provide ipfw/nat for a small group of machines on my local subnet... another thing i noticed - as soon as i /sbin/ipfw/-f flush /sbin/ipfw add divert natd all from any to any via xl0 (external nic) /sbin/ipfw add pass all from any to any then add the -redirect_address flag to natd_flags in /etc/rc.conf, then reboot, the gateway (and any machines hooked up to it) take forever to boot. the bootup process seems to behalted during the initiation of the sendmail daemon. i don't know if this has any direct bearing to what i'm trying to accomplish, thought i'd mention it though. > Or from the commandline: > > #natd -redirect_address 192.168.0.3:80 1.2.3.4:80 when i try to run this from the command line, it tells me the interface is already in use, i assume it's because natd is initiated automatically by /etc/rc.conf > > This assumes that the IP address of the web server is 19.168.0.3 and > that your public interface uses IP address 1.2.3.4. I believe this > should work, or a variation thereof. I've never actually used the > address redirection feature myself, but I know many have > successfully. You may also be able to achieve your goal with the - > redirect_port option. > > > > > > > > > > At any rate, you won't get any traffic through your NAT box unless > > > you have some firewall rules set up. See the FreeBSD handbook, > > > section Advanced Networking for info on setting up NAT and dealing > > > with ipfw. > > > > > > > i had firewall_type="open" in my /etc/rc.conf. wouldn't that at least allow me to serve up webpages at this point, albeit while not having any firewall rules in place? > > > > See above- you have to have a firewall that allows the traffic, but > you also have to tell natd how to send traffic back and forth. anyways, kind sirs, any words of advice would be greatly appreciated thanks again redmond > > Regards, > > Corey Snow > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9KNxKFNjun16SvHYRAgy/AKCctuXyUIH1dyxT/1qJ09Ii+afjOACgnG7J dCLbkKadP5xsLRjr5YqAGzU= =d4Xx -----END PGP SIGNATURE----- [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9KNxMFNjun16SvHYRAtMOAJ9Rnczt5PnM4ckgWnmkC/uadi2PngCeJywL 4o4lLZyQeqgj+sYZNQ5lJC4= =jEzJ -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020707192653.A363>