Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 May 2000 15:28:47 -0700 (PDT)
From:      goran.lowkrantz@infologigruppen.se
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/18354: NATD diverts DMZ packets to firewall host
Message-ID:  <200005022228.PAA40429@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         18354
>Category:       bin
>Synopsis:       NATD diverts DMZ packets to firewall host
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May  2 15:30:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Goran Lowkrantz
>Release:        4.0-STABLE
>Organization:
Infologigruppen Norr AB
>Environment:
FreeBSD ns2.infologigruppen.se 4.0-STABLE FreeBSD 4.0-STABLE #0: Tue May  2 11:08:55 CEST 2000     root@ns2.infologigruppen.se:/usr/src/sys/compile/BIFROST  i386

>Description:
After upgrade from 3.4-STABLE to 4.0-STABLE, a firewall with attached DMZ started to act funny. All incomming data addressed to the DMZ was sent to the local firewall host.

Configuration

 Internet
    |
    |xl0 - 212.214.163.69/26
+---+---+xl1   +-----+
|  FW1  +------+ DMZ | - 212.214.162.32/28
+---+---+      +-----+
    |xl2 - 192.168.99.1/30
    |
    |de2 - 192.168.99.2/30
+---+---+
|  FW2  |
+---+---+
    |
    |
Internal
RFC 1918 net

After testing I found that this behavior was coupled with starting of natd. As long as the divert rule was missing in the ipfw ruleset the data flowed to the DMZ as expected. But as soon as the divert rule was enabled, no more data to the DMZ, all sent to FW host.
Natd was started as 
natd -f /etc/natd.conf -a 212.214.163.69

Content fo natd.conf:
log yes
log_denied yes
use_sockets yes
same_ports yes
unregistered_only yes

>How-To-Repeat:
Three NIC setup for DMZ, basic natd setup and start with any firewall type, have tested with open and had same problem.
>Fix:
Add a skip rule to the ipfw ruleset that jumps the divert rule for data to the DMZ network.

00098 skipto 100 ip from any to 212.214.162.32/28
00099 divert 8668 ip from any to any via 212.214.163.69
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005022228.PAA40429>