Date: Wed, 11 Jul 2001 13:19:18 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: "Francisco Reyes" <lists@natserv.com>, "Jon O ." <jono@microshaft.org> Cc: "FreeBSD Security List" <freebsd-security@FreeBSD.ORG> Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top Message-ID: <04a601c109ea$90606c00$0600a8c0@ibmka.internethelp.ru>
next in thread | raw e-mail | index | archive | help
-----Original Message----- From: Francisco Reyes <lists@natserv.com> To: Jon O . <jono@microshaft.org> Cc: FreeBSD Security List <freebsd-security@FreeBSD.ORG> Date: 11 èþëÿ 2001 ã. 9:37 Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top >On Tue, 10 Jul 2001, Jon O . wrote: >> Francisco: >> >> The divert rule should be placed in your ruleset as needed and can't be defined as "always on top." >> >> For example, I connect to a Firewall-1/VPN-1 server using my FreeBSD gateway. In this case I don't want the divert rule applied to packets going to VPN machines because I want to come from the real inside network address, not a NAT'ed hide address. So, it can cause problems because you are allowing the packet through the firewall, but then don't notice what the divert rule is doing to it -- I've done it and I'm sure many other people have also. Once you figure it out, you'll always remember to look at the divert rule too. > >Any recommendations where I could read more on NAT? >The natd man page is a good start, but I was thinking more along the >lines of a tutorial or examples. > I am a novice unix admin, and have similiar problems. AFAICS natd is very little documented, except for very simple cases. All I can say is - "try". Try this config and that config and some another config and grab the results with "ipfw show" and tcpdump :). BTW, I have the question to the natd-experienced ppl in the community: why on my 3.3-RELEASE router I cannot restart natd without restarting the box? First I do #kill -9 `cat /var/run/natd.pid` this does what I want - natd is killed then I run it: #/sbin/natd -f /etc/natd.conf -n rl0 natd runs OK, but performs alteration of outgoing packets only. To make my question more clear I will add here my network configuration _____--------| Workstation with private IP | / INTERNET------| rl0 | FreeBSD w/natd | rl1 |------| \_____ --------| WWW Server with private IP | my natd.conf is looking like this: ------------------------------------------------------------------------ unregistred_only yes same_ports yes redirect port tcp SERVER_PRIVATE_IP:80 SERVER_PUBLIC_IP:80 ------------------------------------------------------------------------ after restaring natd my workstation can browse INTERNET (i.e outgoing packets are patched by natd), but INTERNET cannot access my WWW server. May be natd is not restartable? >Does NATD let the packets continue through IPFW after it changes the >source address? > #man natd <skipped> The firewall rules will be run again on each packet after translation by natd, minus any divert rules. <skipped> But you should remember, that this packets will be already altered! Good luck in NAT'ing ! NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04a601c109ea$90606c00$0600a8c0>