From owner-freebsd-questions Fri Dec 17 1:39:57 1999 Delivered-To: freebsd-questions@freebsd.org Received: from relay.ucb.crimea.ua (UCB-Async4-CRISCO.CRIS.NET [212.110.129.130]) by hub.freebsd.org (Postfix) with ESMTP id D6FC815091 for ; Fri, 17 Dec 1999 01:39:45 -0800 (PST) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id LAA00717; Fri, 17 Dec 1999 11:38:13 +0200 (EET) (envelope-from ru) Date: Fri, 17 Dec 1999 11:38:13 +0200 From: Ruslan Ermilov To: Scott Worthington Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Proper use of natd for mail (port 25)... Message-ID: <19991217113813.C76255@relay.ucb.crimea.ua> Mail-Followup-To: Scott Worthington , freebsd-questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Scott Worthington on Thu, Dec 16, 1999 at 04:09:51PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Dec 16, 1999 at 04:09:51PM -0700, Scott Worthington wrote: > >>> Martin Welk 12/16/99 02:35PM >>> > >Scott, I have set up similar configurations at work and for customers - > >for example, for VNC access of a Windoze box from special hosts in the > >outer world or using FileMaker databases. It works flawlessly - I tried > >to look through for mail carefully but didn't find anything, sorry. > > > >Please add a ``log'' parameter to your firewall rules and look where > >the packets go and how they look like (and you can give us some useful > >excerpt from it, I mean, what happens to the packet(s) on their way?) > > > > I changed this in the rc.firewall > > Original: > /sbin/ipfw add divert natd all from any to any via fxp0 > > Now: > /sbin/ipfw add divert natd log all from any to any via fxp0 > > The /var/log/messages had this when I was telnet'ing from > public.ip.10 to public.ip.8 port 25: > > date time hostname /kernel: ipfw: 100 Divert 8668 TCP public.ip.10:1082 > public.ip.8:25 in via fxp0 > > I did notice that there was no 'out'. > > >You could even tcpdump -i fxp1 to see which packets go through that net. > > > >I think the packets coming back from your internal SMTP server don't pass > >natd, because you do divert those packets if they go via fxp0. A private > >nework (10.0/8, 172.I.was.to.lazy.to.look.in./etc/hosts, 192.168/16) should > >never be routed to the outer world, maybe that's the simple reason. > > > >Remove the ``via fxp0'' parameter from the divert rule. > > > > I dropped the via fxp0 from the divert rule and reran the process. > > The /var/log/messages had this when I was telnet'ing from > public.ip.10 to public.ip.8 port 25: > > date time hostname /kernel: ipfw: 100 Divert 8668 TCP public.ip.10:1082 > public.ip.8:25 in via fxp0 > > date time hostname /kernel: ipfw 100 Divert 8668 TCP public.ip.10:1082 > 192.168.83.9:25 out via fxp0 > > But still the telnet timed out (Unable to connect to remote host: > Operation timed out). > > So I tried to telnet from the firewall machine to 192.168.83.9 port 25. > Eeech, no connect this time. I did not write down the log info, though. > > >Good luck, > > > >Martin > > Any way you can seek a peak at one of your finely configured machines > at work :) > Your rules look OK, don't remove `via fxp0' tail. Your problem smells like 192.168.83.9 has no default router set, or it is set to something different than firewalling/aliasing machine. In respect to "rule-based forwarding", there is an option for enabling it, it is called IPFIREWALL_FORWARD. Please refer to the ipfw(8) page for description of this feature. Cheers, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message