From owner-freebsd-security Wed Jul 11 2:24:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id EA15A37B401 for ; Wed, 11 Jul 2001 02:23:22 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id NAA33048; Wed, 11 Jul 2001 13:19:19 +0400 (MSD) Message-ID: <04a601c109ea$90606c00$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "Francisco Reyes" , "Jon O ." Cc: "FreeBSD Security List" Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top Date: Wed, 11 Jul 2001 13:19:18 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Original Message----- From: Francisco Reyes To: Jon O . Cc: FreeBSD Security List Date: 11 èþëÿ 2001 ã. 9:37 Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top >On Tue, 10 Jul 2001, Jon O . wrote: >> Francisco: >> >> The divert rule should be placed in your ruleset as needed and can't be defined as "always on top." >> >> For example, I connect to a Firewall-1/VPN-1 server using my FreeBSD gateway. In this case I don't want the divert rule applied to packets going to VPN machines because I want to come from the real inside network address, not a NAT'ed hide address. So, it can cause problems because you are allowing the packet through the firewall, but then don't notice what the divert rule is doing to it -- I've done it and I'm sure many other people have also. Once you figure it out, you'll always remember to look at the divert rule too. > >Any recommendations where I could read more on NAT? >The natd man page is a good start, but I was thinking more along the >lines of a tutorial or examples. > I am a novice unix admin, and have similiar problems. AFAICS natd is very little documented, except for very simple cases. All I can say is - "try". Try this config and that config and some another config and grab the results with "ipfw show" and tcpdump :). BTW, I have the question to the natd-experienced ppl in the community: why on my 3.3-RELEASE router I cannot restart natd without restarting the box? First I do #kill -9 `cat /var/run/natd.pid` this does what I want - natd is killed then I run it: #/sbin/natd -f /etc/natd.conf -n rl0 natd runs OK, but performs alteration of outgoing packets only. To make my question more clear I will add here my network configuration _____--------| Workstation with private IP | / INTERNET------| rl0 | FreeBSD w/natd | rl1 |------| \_____ --------| WWW Server with private IP | my natd.conf is looking like this: ------------------------------------------------------------------------ unregistred_only yes same_ports yes redirect port tcp SERVER_PRIVATE_IP:80 SERVER_PUBLIC_IP:80 ------------------------------------------------------------------------ after restaring natd my workstation can browse INTERNET (i.e outgoing packets are patched by natd), but INTERNET cannot access my WWW server. May be natd is not restartable? >Does NATD let the packets continue through IPFW after it changes the >source address? > #man natd The firewall rules will be run again on each packet after translation by natd, minus any divert rules. But you should remember, that this packets will be already altered! Good luck in NAT'ing ! NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message