Date: Fri, 17 Dec 1999 06:22:42 +0100 From: Martin Welk <mw@theatre.sax.de> To: Scott Worthington <SWorthington@hsag.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Proper use of natd for mail (port 25)... Message-ID: <19991217062241.B28121@theatre.sax.de> In-Reply-To: <s8590eed.068@internal.hsag.com>; from SWorthington@hsag.com on Thu, Dec 16, 1999 at 04:09:51PM -0700 References: <s8590eed.068@internal.hsag.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 16, 1999 at 04:09:51PM -0700, Scott Worthington wrote:
> The /var/log/messages had this when I was telnet'ing from
> public.ip.10 to public.ip.8 port 25:
>
> date time hostname /kernel: ipfw: 100 Divert 8668 TCP public.ip.10:1082
> public.ip.8:25 in via fxp0
>
> I did notice that there was no 'out'.
This is no wonder, because (as also the man pages for ipfw and so on say),
the packets are handed over to natd and injected back into the IP stack in
a way, that they will pass the ruleset of the IP firewall again, except for
the divert rule they already passed.
As you enabled logging for the divert rule only (and not for the allow rule
which may be a compiled in kernel default, but you can add an equal rule
with a lower line number and the log parameter manually before the default
rule), you won't see any log of the outgoing packet.
> The /var/log/messages had this when I was telnet'ing from
> public.ip.10 to public.ip.8 port 25:
>
> date time hostname /kernel: ipfw: 100 Divert 8668 TCP public.ip.10:1082
> public.ip.8:25 in via fxp0
>
> date time hostname /kernel: ipfw 100 Divert 8668 TCP public.ip.10:1082
> 192.168.83.9:25 out via fxp0
>
> But still the telnet timed out (Unable to connect to remote host:
> Operation timed out).
Hm, it would have been interesting to see if there's anything coming back
from that other machine.
> So I tried to telnet from the firewall machine to 192.168.83.9 port 25.
> Eeech, no connect this time. I did not write down the log info, though.
Hm. Don't call me silly, but what happens when you clear the firewall
ruleset (especially the divert rule) and try to telnet to the internal
machine than? Does that work or do you have some more basic network
trouble? (Something like internal host's address cannot be resolved
or different netmasks or some other failure.) Just use ipfw flush to
clear the firewall, no need to edit /etc/rc.conf or /etc/rc.firewall
and reboot.
> Any way you can seek a peak at one of your finely configured machines
> at work :)
At the first time when I was looking into that natd/ipfw stuff (on 2.2.x
about two years ago) I had my problems, too, and there were things I wasn't
able to understand :-)
Regards,
Martin
--
/| /| | /| / ,,You know, there's a lot of opportunities,
/ |/ | artin |/ |/ elk if you're knowing to take them,
you know, there's a lot of opportunities,
Freiberg/Saxony, Germany if there aren't you can make them,
mw@sax.de / mw@theatre.sax.de make or break them!'' (Tennant/Lowe)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991217062241.B28121>