Date: Wed, 11 Jul 2001 13:19:18 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: "Francisco Reyes" <lists@natserv.com>, "Jon O ." <jono@microshaft.org> Cc: "FreeBSD Security List" <freebsd-security@FreeBSD.ORG> Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top Message-ID: <04a601c109ea$90606c00$0600a8c0@ibmka.internethelp.ru>
next in thread | raw e-mail | index | archive | help
-----Original Message-----
From: Francisco Reyes <lists@natserv.com>
To: Jon O . <jono@microshaft.org>
Cc: FreeBSD Security List <freebsd-security@FreeBSD.ORG>
Date: 11 èþëÿ 2001 ã. 9:37
Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top
>On Tue, 10 Jul 2001, Jon O . wrote:
>> Francisco:
>>
>> The divert rule should be placed in your ruleset as needed and can't be defined as "always on top."
>>
>> For example, I connect to a Firewall-1/VPN-1 server using my FreeBSD gateway. In this case I don't want the divert rule applied
to packets going to VPN machines because I want to come from the real inside network address, not a NAT'ed hide address. So, it can
cause problems because you are allowing the packet through the firewall, but then don't notice what the divert rule is doing to
it -- I've done it and I'm sure many other people have also. Once you figure it out, you'll always remember to look at the divert
rule too.
>
>Any recommendations where I could read more on NAT?
>The natd man page is a good start, but I was thinking more along the
>lines of a tutorial or examples.
>
I am a novice unix admin, and have similiar problems. AFAICS natd is very little documented, except for very simple cases. All I can
say is - "try". Try this config and that config and some another config and grab the results with "ipfw show" and tcpdump :).
BTW, I have the question to the natd-experienced ppl in the community: why on my 3.3-RELEASE router I cannot restart natd without
restarting the box? First I do
#kill -9 `cat /var/run/natd.pid`
this does what I want - natd is killed
then I run it:
#/sbin/natd -f /etc/natd.conf -n rl0
natd runs OK, but performs alteration of outgoing packets only. To make my question more clear I will add here my network
configuration
_____--------| Workstation with private IP |
/
INTERNET------| rl0 | FreeBSD w/natd | rl1 |------|
\_____
--------| WWW Server with private IP |
my natd.conf is looking like this:
------------------------------------------------------------------------
unregistred_only yes
same_ports yes
redirect port tcp SERVER_PRIVATE_IP:80 SERVER_PUBLIC_IP:80
------------------------------------------------------------------------
after restaring natd my workstation can browse INTERNET (i.e outgoing packets are patched by natd), but INTERNET cannot access my
WWW server. May be natd is not restartable?
>Does NATD let the packets continue through IPFW after it changes the
>source address?
>
#man natd
<skipped>
The firewall rules will be run again on each packet after translation by natd, minus any divert rules.
<skipped>
But you should remember, that this packets will be already altered!
Good luck in NAT'ing !
NKritsky - SysAdmin InternetHelp.Ru
http://www.internethelp.ru
e-mail: nkritsky@internethelp.ru
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04a601c109ea$90606c00$0600a8c0>