Date: Sat, 4 Aug 2001 19:03:38 -0500 (CDT) From: Douglas Carmichael <dcarmich@ourservers.net> To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: natd doesn't start on boot even when added to /etc/rc.conf Message-ID: <200108050003.f7503dM00486@nightfly.ourservers.net>
next in thread | raw e-mail | index | archive | help
After following the instructions in the dialup firewall tutorial on freebsd.org, I have successfully gotten my Linux system on the local Ethernet (192.168.1.x range) to talk to the Internet through the FreeBSD gateway. However, I have two problems: 1) natd does not start up upon rebooting the system, even though I put it in /etc/rc.conf. 2) With PPP enabled, I can not connect to the gateway from other systems on the local Ethernet (i.e. a telnet connection is successfully set up, but I do not see a login prompt.) However, I am running a caching DNS server on the machine and that can be successfully accessed from the local Ethernet. And, I can connect to the PPP control port (i.e. port 3000) successfully. Here are my firewall rules (stored in /etc/rc.firewall.current and executed successfully on boot): # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Define the inside and outside interfaces inside_if="xl0" outside_if="tun0" # Define the TCP ports that you wish to allow access to from the outside outside_tcp_ports="" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via $outside_if # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via $inside_if # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit $outside_if setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via $outside_if established # Define the TCP ports that you wish to be accessible from the inside. if [ "$outside_tcp_ports" != "" ]; then for i in $outside_tcp_ports; do $fwcmd add allow tcp from any to any $i setup done fi # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv $outside_if # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 198.147.221.34 53 out xmit $outside_if # Allow them back in with the answers... :) $fwcmd add allow udp from 198.147.221.34 53 to any in recv $outside_if # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Here's my /etc/rc.conf: # -- sysinstall generated deltas -- # # Created: Sun Aug 5 01:45:35 2001 # Enable network daemons for user convenience. # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall.current" hostname="gateway.dcarmich.net" ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0" # User ppp configuration. ppp_enable="YES" # Start user-ppp (or NO). ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated". # For details see man page for ppp(8). Default is auto. ppp_nat="NO" # Use PPP's internal network address translation or NO. ppp_profile="xnet" # Which profile to use from /etc/ppp/ppp.conf. ppp_user="root" # Which user to run ppp as # NAT configuration. natd_enable="YES" natd_flags="-f /etc/natd.conf" # named configuration. named_enable="YES" named_flags="-u bind -g bind" inetd_enable="YES" kern_securelevel_enable="NO" portmap_enable="NO" moused_enable="NO" moused_type="NO" sendmail_enable="NO" sshd_enable="YES" usbd_enable="NO" Here's my /etc/natd.conf: dynamic interface tun0 use_sockets same_ports unregistered_only log_denied What could be the problem? Any comments welcome. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108050003.f7503dM00486>