From owner-freebsd-questions@FreeBSD.ORG Tue May 18 18:16:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38BAC106566B for ; Tue, 18 May 2010 18:16:12 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forward3.mail.yandex.net (forward3.mail.yandex.net [77.88.46.8]) by mx1.freebsd.org (Postfix) with ESMTP id A33468FC19 for ; Tue, 18 May 2010 18:16:11 +0000 (UTC) Received: from smtp3.mail.yandex.net (smtp3.mail.yandex.net [77.88.46.103]) by forward3.mail.yandex.net (Yandex) with ESMTP id 9D4EE56D83DF; Tue, 18 May 2010 22:16:09 +0400 (MSD) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1274206569; bh=hKVq+75+ZEQw82QunE76ZLdmBitoKYuUd7S/uwbE2e0=; h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding; b=cLMsVLoo0VxSYk7WXjiT2y5nfZQSvJuw5KOKlDrkVDPc4zFCcnsl4uEjNJJT+jtSR 2ACW08/voI0154VgPKXk/vA0tl4baJ91fnI0mNet1bCAFq+cIwJFqRgy4db9h8C2jo GS6y1IhT+MQVLzXCT3kXNp2Xh0rCloQUesH9sa24= Received: from HOMEUSER (unknown [77.93.38.34]) by smtp3.mail.yandex.net (Yandex) with ESMTPA id 461FA2780A7; Tue, 18 May 2010 22:16:09 +0400 (MSD) X-Nat-Received: from [192.168.9.156]:3506 [ident-empty] by SPAM FILTER: with TPROXY id 1274206546.30774 abuse-to kes-kes@yandex.ru Date: Tue, 18 May 2010 21:16:10 +0300 From: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= X-Mailer: The Bat! (v4.0.24) Professional Organization: =?utf-8?B?0KfQnyDQmtC+0L3RjNC60L7QsiwgRnJlZUxpbmU=?= X-Priority: 3 (Normal) Message-ID: <806308022.20100518211610@yandex.ru> To: Casey Scott In-Reply-To: <963159806.27.1274197870913.JavaMail.root@spitfire.phantombsd.org> References: <963159806.27.1274197870913.JavaMail.root@spitfire.phantombsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Yandex-TimeMark: 1274206569 X-Yandex-Spam: 1 X-Yandex-Front: smtp3.mail.yandex.net Cc: freebsd-questions@freebsd.org Subject: Re: natd in 8.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2010 18:16:12 -0000 Здравствуйте, Casey. What does natd with '-v' options shows? what is aliasing? You must bind natd to external interface NEVER DO: any to any divert!!! NOTICE: no traffice go through this rule CS> 05000 0 0 divert 8668 ip from any to any out via fxp0 NEVER DO: open firewall because of security reasons CS> 05001 29 1484 allow ip from any to any All 'ALLOW' rules are useless! because of 5001 rule You drop all traffic before divert ;-) this make me confused a little CS> 04000 752 24282 deny log logamount 10000 ip from any to any CS> 05000 0 0 divert 8668 ip from any to any out via fxp0 NOTICE: CS> 01200 29 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state maybe there some bugs in ipfw, try 4999 Please post where problem were for other readers with same question thank Вы писали 18 мая 2010 г., 18:51:10: CS> I recently rebuilt a server from 7.x to 8.x. Using the exact CS> same firewall & natd config, natd appears not to be aliasing the CS> private address when the traffic leaves the external interface. CS> When sniffing traffic w/ tcpdump, I see the private address as the CS> source address on the outbound request. CS> e.g. CS> 192.168.1.1 = internal source of request CS> 74.75.76.77 = public address (website) CS> 12.13.14.15 = CS> Internal External 192.168.1.10 ->> 74.75.76.77 (NAT) 192.168.1.10 -> 74.75.76.77 CS> Rather than it should be: CS> Internal External 192.168.1.10 ->> 74.75.76.77 (NAT) 12.13.14.15 -> 74.75.76.77 CS> Watching natd with ktrace shows that no traffic gets passed to CS> natd when the source is internal, however external traffic passes through it. CS> Firewall config: CS> --------------------------------------------------------------------------- CS> 00200 11946 3204818 allow ip from any to any via lo0 CS> 00300 0 0 deny ip from any to 127.0.0.0/8 CS> 00301 10 528 deny ip from any to 74.94.69.225 dst-port 445 CS> 00302 1 78 deny ip from any to 74.94.69.225 dst-port 137 CS> 00303 9 544 deny ip from any to 74.94.69.225 dst-port 135 CS> 00304 0 0 deny ip from 224.0.0.0/4 to any via fxp0 CS> 00305 671 18788 deny ip from any to 224.0.0.0/4 via fxp0 CS> 01000 9093 1158436 allow ip from any to any via em0 CS> 01050 51045 5205047 divert 8668 ip from any to any in via fxp0 CS> 01100 0 0 check-state CS> 01100 69183 83429465 allow ip from me to any CS> 01200 29 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state CS> 01201 0 0 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state CS> 01202 45002 4690467 allow ip from any to any established CS> 01800 1421 72620 allow tcp from any to me dst-port 20,21,53,76,80,123,443 CS> 01900 3 194 allow ip from 216.251.112.0/24,208.95.100.4 to any CS> 02000 530 127559 allow udp from any 53 to any CS> 02100 834 59414 allow udp from any to any dst-port 53 CS> 02150 1930 146680 allow udp from any 123 to me dst-port 123 CS> 02200 468 39312 allow icmp from any to any icmptypes 0,3,11 CS> 04000 752 24282 deny log logamount 10000 ip from any to any CS> 05000 0 0 divert 8668 ip from any to any out via fxp0 CS> 05001 29 1484 allow ip from any to any CS> 65535 0 0 deny ip from any to any CS> --------------------------------------------------------------------------- CS> natd.conf CS> --------------------------------------------------------------------------- CS> use_sockets CS> same_ports CS> unregistered_only CS> interface fxp0 CS> redirect_port tcp 192.168.1.82:82 82 CS> redirect_port tcp 192.168.1.41:8082 8082 CS> redirect_port tcp 192.168.1.3:3389 3389 CS> redirect_port udp 192.168.1.3:3389 3389 CS> redirect_port tcp 192.168.1.6:6881-6889 6881-6889 CS> --------------------------------------------------------------------------- CS> As I previously stated, this exact same config worked great in CS> 7.x. I built a kernel in 8.x w/ IPFIREWALL & IPDIVERT, and CS> reviewed UPDATING. Have I missed something? CS> TIA, CS> Casey CS> _______________________________________________ CS> freebsd-questions@freebsd.org mailing list CS> http://lists.freebsd.org/mailman/listinfo/freebsd-questions CS> To unsubscribe, send any mail to CS> "freebsd-questions-unsubscribe@freebsd.org" -- С уважением, Коньков mailto:kes-kes@yandex.ru