From owner-freebsd-bugs Tue May 2 15:30: 5 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D98FF37C097 for ; Tue, 2 May 2000 15:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id PAA40561; Tue, 2 May 2000 15:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 54A7C37C068 for ; Tue, 2 May 2000 15:28:47 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id PAA40429; Tue, 2 May 2000 15:28:47 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Message-Id: <200005022228.PAA40429@freefall.freebsd.org> Date: Tue, 2 May 2000 15:28:47 -0700 (PDT) From: goran.lowkrantz@infologigruppen.se To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: bin/18354: NATD diverts DMZ packets to firewall host Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 18354 >Category: bin >Synopsis: NATD diverts DMZ packets to firewall host >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 2 15:30:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Goran Lowkrantz >Release: 4.0-STABLE >Organization: Infologigruppen Norr AB >Environment: FreeBSD ns2.infologigruppen.se 4.0-STABLE FreeBSD 4.0-STABLE #0: Tue May 2 11:08:55 CEST 2000 root@ns2.infologigruppen.se:/usr/src/sys/compile/BIFROST i386 >Description: After upgrade from 3.4-STABLE to 4.0-STABLE, a firewall with attached DMZ started to act funny. All incomming data addressed to the DMZ was sent to the local firewall host. Configuration Internet | |xl0 - 212.214.163.69/26 +---+---+xl1 +-----+ | FW1 +------+ DMZ | - 212.214.162.32/28 +---+---+ +-----+ |xl2 - 192.168.99.1/30 | |de2 - 192.168.99.2/30 +---+---+ | FW2 | +---+---+ | | Internal RFC 1918 net After testing I found that this behavior was coupled with starting of natd. As long as the divert rule was missing in the ipfw ruleset the data flowed to the DMZ as expected. But as soon as the divert rule was enabled, no more data to the DMZ, all sent to FW host. Natd was started as natd -f /etc/natd.conf -a 212.214.163.69 Content fo natd.conf: log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes >How-To-Repeat: Three NIC setup for DMZ, basic natd setup and start with any firewall type, have tested with open and had same problem. >Fix: Add a skip rule to the ipfw ruleset that jumps the divert rule for data to the DMZ network. 00098 skipto 100 ip from any to 212.214.162.32/28 00099 divert 8668 ip from any to any via 212.214.163.69 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message