Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Jan 2000 14:23:34 -0500
From:      John <papalia@udel.edu>
To:        Ruslan Ermilov <ru@ucb.crimea.ua>, zimon@iki.fi
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: NATD/Divert broken ?
Message-ID:  <4.1.20000131123443.00975da0@mail.udel.edu>
In-Reply-To: <20000131193116.A72155@relay.ucb.crimea.ua>
References:  <4.1.20000131120328.009749c0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
>> Hey all,
>> 
>> I'm having a small problem with my NATD and my firewall.  Per the
>> instructions in "The Complete FreeBSD", I added the firewall rule:
>> 
>> divert natd ip from any to any via fxp1
>> 
>> The problem is that this rule is causing partial problems on my loopback
>> device (lo0).
>> 
>> What happens is that with the rule in place, for some connections within
>> the box (which definitely go thru lo0), the connections fail.  If I remove
>> that rule, then the connections within the box can be made, but then I lose
>> all ability to host my internal 192.168. net.
>> 
>> I have done tcpdumps of both the successful and unsuccessful connections
>> and have pasted them below.  If the actual tcpdump files would be useful, I
>> can attach those to a subsequent email. 
>> 
>> Also, I'm currently running 3.3 and am suffering from NO other apparent
>> problems with lo0 that I can tell.
>> 
>> tcpdumps are below.
>> 
>> Thanks in advance,
>> John
>> 
>
>> ******
>> Failed connection, with divert rule in place:
>> ******
>> 
>> 12:01:10.744362 merlin.wondermutt.net.3482 > merlin.wondermutt.net.39536: S
>> 1027967984:1027967984(0) win 16384 <mss 16344,nop,wscale 0,nop,no
>> 
>[...]
>Can you show me the above in numerical form (with -n), with the output of
>the following commands:

Sure can :)

tcpdump read in numerical form:

12:46:10.236727 128.175.75.157.3504 > 128.175.75.157.44540: S
1546226005:1546226005(0) win 16384 <mss 16344,nop,wscale 0,nop,nop,timestamp 10
05956 0> (DF)

12:46:12.832052 128.175.75.157.3504 > 128.175.75.157.44540: S
1546226005:1546226005(0) win 16384 <mss 16344,nop,wscale 0,nop,nop,timestamp 10
05961 0> (DF)

12:46:18.832277 128.175.75.157.3504 > 128.175.75.157.44540: S
1546226005:1546226005(0) win 16384 <mss 16344,nop,wscale 0,nop,nop,timestamp 10
05973 0> (DF)

>* ifconfig -au inet

merlin# ifconfig -au inet
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 128.175.75.157 netmask 0xffffff00 broadcast 128.175.75.255
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384


>* netstat -arn

merlin# netstat -arn
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
default            128.175.75.1       UGSc       20   131323     fxp1
127                lo0                USc         3      995      lo0
127.0.0.1          lo0                UHW         1     5510      lo0
128.32.43.209      128.175.75.1       UGHW3       0   131407     fxp1   1118
128.175.13.74      128.175.75.1       UGHW        1   131105     fxp1
128.175.13.92      128.175.75.1       UGHW3       0   116663     fxp1   3340
128.175.75/24      link#2             UC          0        0     fxp1
128.175.75.1       0:0:c:12:d6:5f     UHLW       18        0     fxp1   1138
128.175.75.157     lo0                UHS         0      168      lo0
130.233.40.130     128.175.75.1       UGHW3       0   130965     fxp1    818
132.236.56.16      128.175.75.1       UGHW3       0   131105     fxp1   1013
192.160.127.97     128.175.75.1       UGHW        2   128752     fxp1
192.168.1          link#1             UC          0        0     fxp0
192.168.1.2        0:a0:c9:6c:a8:bc   UHLW        5   672323     fxp0   1152
194.100.45.84      128.175.75.1       UGHW3       0   131227     fxp1   3072
199.2.32.11        128.175.75.1       UGHW        2   131269     fxp1
204.216.27.18      128.175.75.1       UGHW3       0   131179     fxp1   1770
206.251.7.30       128.175.75.1       UGHW        1    14344     fxp1
207.45.69.69       128.175.75.1       UGHW        1    84591     fxp1
207.138.35.58      128.175.75.1       UGHW        1    73274     fxp1
209.100.125.26     128.175.75.1       UGHW        1    12594     fxp1
209.100.125.48     128.175.75.1       UGHW        2     8879     fxp1
216.88.112.20      128.175.75.1       UGHW3       0   132707     fxp1   1102
216.147.43.210     128.175.75.1       UGHW3       0   131081     fxp1   1051
216.244.64.20      128.175.75.1       UGHW3       0   130377     fxp1    951


>* ipfw show
merlin# ipfw show
00075   227   21816 divert 8668 ip from any to any via fxp1
00150 18596 3000493 allow ip from any to any via fxp0
00200     0       0 deny ip from any to 127.0.0.0/8 recv fxp1
00300    22    1233 allow ip from 192.168.0.0/16 to any out xmit fxp1
00400  1205 1317527 allow ip from any to 192.168.0.0/16 in recv fxp1
65000   250   22128 allow ip from any to 128.175.75.157 in recv fxp1
65100  1380   78451 allow ip from 128.175.75.157 to any out xmit fxp1
65535  1659  185195 deny ip from any to any


>And how do you start natd?
Within rc.conf.  Ultimate command:

/sbin/natd -f /etc/natd.conf

Where natd.conf is:
interface fxp1
dynamic yes
use_sockets yes
same_ports yes

And the last two lines were added in an attempt to trouble-shoot this
problem - both with and without those lines, this problem exists.

Thanks!!!
--John



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.20000131123443.00975da0>