Date: Mon, 29 Mar 1999 09:58:16 -0800 From: tront@cs.sfu.ca To: jonc@pinnacle.co.nz Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd Message-ID: <3.0.3.32.19990329095816.009f5960@cs.sfu.ca>
next in thread | raw e-mail | index | archive | help
Does anyone know if the following is commonly required to run natd. The
natd man page says nothing about this particular kernel option being needed.
>Another person has suggested using:
>>options IPFIREWALL_FORWARD #enable transparent proxy
>This fixed his non-function natd. This is not mentioned in the natd man
page, so before we go to the trouble of recompiling our kernel, could you
comment on whether this might help our natd run?
Thanks VERY much, Russ Tront, Instructor, School of Computing Science, SFU.
-----------------------------------------------------------------------------
Details of our setup:
>>
>> At 09:44 AM 3/25/99 +0200, ari wrote:
>> >tront@cs.sfu.ca wrote:
>> >>
>> >> Hi Ari, I am a university instructor of a network admin course that has
>> >> been using freebsd unix for 2 years. We are trying natd for the
first time
>> >> on freebsd 2.2.7. And after checking all available documentation we are
>> >> stumped as to why we can't even ping from the gateway to a public
network
>> >> machine while natd is running.
>> >> We have followed the instructions on the man page exactly!
>> >> We can ping from the internal machine to the gateway and visa versa.
But
>> >> not through the gateway to the public network. And more
interestingly, not
>> >> even from the gateway machine to the public network (one hop!). When we
>> >> kill natd and remove the divert firewall rule, ping is successful in all
>> >> ways, including relay through the gateway, so the connectivity and
routing
>> >> is good.
>> >>
>> >> The divert rule firewall timestamp is showing that it is being used
at the
>> >> time we attempt to pings, so the firewall is running. And the firewall
>> >> only has the specified 2 rules plus the final 65535 deny rule.
Also, we
>> >> found that running natd in verbose mode generated no error messages.
And
>> >> running in log mode didn't seem to generate any log in alias.log.
>> >>
>> >> We have spent hours on this, and are beginning to disagree with the man
>> >> page that states "Running natd is fairly straight forward". Can you
give
>> >> us another pointer or two on where to look for some error in our setup.
>>
>> > One common mistake is to run natd on wrong interface. You are
supposed
>> > to run it on the interface that is connected to public network.
>> No, that isn't the problem.
>>
>> > If you can send a little bit more details about your setup
>> > (interface names, addresses etc.) I can try to help you out.
>>
>> I have attached a dump of all kinds of useful information verifying my set
>> up according to the 'running natd' part of the man page. I hope this
helps.
>> I have some things you might want to worry about:
>> 1) in our lab, the outside public network has one of the 'test' network
>> addresses 172.16/16. It there a chance that natd will refuse to forward to
>> such a public network?
>> 2) the address we are pinging is on the same network as the gateway's
>> public address (i.e. direction connection one hop).
>> 3) because of 2) above, we do not have a specific or default route for the
>> ping's destination. A route is in the routing table for that network by
>> virtue of the interface being brought up.
>> 4) we are not putting any natd commands in a file, assumably everything
>> that is needed can be typed into the command line.
>>
>> Here is the results of what my student dumped. 172.16/16 is the public
>> network. 172.17/16 is the inside network. 172.16.1.6 is ed0, the public
>> interface of the gateway. Any help would be appreciated.
>>
>> Russ Tront, Instructor, School of Computing Science, SFU.
>>
>>
----------------------------------------------------------------------------
>> ----------------------------------
>> Script started on Wed Mar 24 22:44:56 1999
>> You have mail.
>> fall.net1.cs{root}:cd /usr/src/sys/i386/conf
>>
>> fall.net1.cs{root}:ls
>> FALL LINT PCCARD files.i386
options.i386
>> GENERIC Makefile.i386 devices.i386 majors.i386
>>
>> fall.net1.cs{root}:fgrep IPFIRTEWALL FALL
>> options IPFIREWALL
>> options IPFIREWALL_VERBOSE
>>
>> fall.net1.cs{root}:fgrep IPDIVERT FALL
>> options IPDIVERT $ Divert sockets
>>
>> fall.net1.cs{root}:cd /etc
>>
>> fall.net1.cs{root}:fgrep gateway rc.conf
>> defaultrouter="NO" # Set to default gateway (or NO).
>> gateway_enable="YES" # Set to YES if this host will be a
gateway.
>> ipxgateway_enable="NO" # Set to YES to enable IPX routing.
>> forward_sourceroute="NO" # do source routing (only if gateway_enable
>> is set to "YES")
>>
>> fall.net1.cs{root}:fgrep firewall rc.conf
>> firewall_enable="YES" # Set to YES to enable firewall
functionality
>> firewall_type="open" # Firewall type (see /etc/rc.firewall)
>> firewall_quiet="NO" # Set to YES to suppress rule display
>> natd_enable="NO" # Enable natd if firewall_enable.
>>
>> fall.net1.cs{root}:fgrep natd rc.conf
>> natd_enable="NO" # Enable natd if firewall_enable.
>> natd_interface="fxp0" # Public interface to use with natd if
>> natd_enable.
>> natd_flags="" # Additional flags for natd.
>>
>> fall.net1.cs{root}:fgrep natd services
>> natd 8668/divert #Network Address Translation
>>
>> fall.net1.cs{root}:ipfw -t list
>> 00100 allow ip from any to any via lo0
>> 00200 deny ip from any to 127.0.0.0/8
>> 65000 Wed Mar 24 22:46:05 1999 allow ip from any to any
>> 65535 deny ip from any to any
>>
>> fall.net1.cs{root}:ipfw -f flush
>> Flushed all rules.
>>
>> fall.net1.cs{root}:ipfw add divert natd all from any to any via ed0
>> 00000 divert 8668 ip from any to any via ed0
>>
>> fall.net1.cs{root}:ipfw add pass all from any to any
>> 00000 allow ip from any to any
>>
>> fall.net1.cs{root}:netstat -nr
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif
Expire
>> 127.0.0.1 127.0.0.1 UH 0 0 lo0
>> 172.16 link#1 UC 0 0
>> 172.18 link#2 UC 0 0
>>
>> fall.net1.cs{root}:netstat -i
>> Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
>> ed0 1500 <Link> 00.40.95.76.90.4b 5 0 1 0
0
>> ed0 1500 172.16 fall 5 0 1 0
0
>> ed1 1500 <Link> 00.40.95.76.e4.d1 0 0 1 0
0
>> ed1 1500 172.18 fall.net3.cs 0 0 1 0
0
>> lp0* 1500 <Link> 0 0 0 0
0
>> tun0* 1500 <Link> 0 0 0 0
0
>> tun1* 1500 <Link> 0 0 0 0
0
>> sl0* 552 <Link> 0 0 0 0
0
>> sl1* 552 <Link> 0 0 0 0
0
>> ppp0* 1500 <Link> 0 0 0 0
0
>> ppp1* 1500 <Link> 0 0 0 0
0
>> lo0 16384 <Link> 48 0 48 0
0
>> lo0 16384 your-net localhost 48 0 48 0
0
>>
>> fall.net1.cs{root}:netstat -r
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif
Expire
>> localhost localhost UH 0 72 lo0
>> 172.16 link#1 UC 0 0
>> 172.18 link#2 UC 0 0
>>
>> fall.net1.cs{root}:ipfw -t list
>> 00100 Wed Mar 24 22:50:22 1999 divert 8668 ip from any to any via ed0
>> 00200 Wed Mar 24 22:50:09 1999 allow ip from any to any
>> 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
>>
>> fall.net1.cs{root}:ping 172.16.1.7
>> PING 172.16.1.7 (172.16.1.7): 56 data bytes
>> ^C
>> --- 172.16.1.7 ping statistics ---
>> 3 packets transmitted, 0 packets received, 100% packet loss
>> (((NOTE: this ping would have worked if not for the presence of the divert
>> firewall rule and no natd running yet))))
>>
>> fall.net1.cs{root}:natd -interface ed0
>>
>> fall.net1.cs{root}:ping 172.16.1.7
>> PING 172.16.1.7 (172.16.1.7): 56 data bytes
>> ^C
>> --- 172.16.1.7 ping statistics ---
>> 3 packets transmitted, 0 packets received, 100% packet loss
>>
>> fall.net1.cs{root}:ps -aux
>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>> root 232 0.0 0.9 384 272 p0 R+ 10:52PM 0:00.00 ps -aux
>> root 1 0.0 0.8 484 236 ?? Is 10:44PM 0:00.03
/sbin/init --
>> root 2 0.0 0.1 0 12 ?? DL 10:44PM 0:00.00
(pagedaemon)
>> root 3 0.0 0.1 0 12 ?? DL 10:44PM 0:00.00
(vmdaemon)
>> root 4 0.0 0.1 0 12 ?? DL 10:44PM 0:00.07 (update)
>> root 99 0.0 1.8 204 540 ?? Ss 10:44PM 0:00.16 syslogd
>> daemon 109 0.0 1.9 176 564 ?? Is 10:44PM 0:00.01 portmap
>> root 131 0.0 2.0 208 608 ?? Is 10:44PM 0:00.07 inetd
>> root 134 0.0 1.7 332 512 ?? Ss 10:44PM 0:00.04 cron
>> root 137 0.0 1.8 208 540 ?? Is 10:44PM 0:00.01 lpd
>> root 164 0.0 1.4 168 420 ?? Is 10:44PM 0:00.00 moused -p
>> /dev
>> root 173 0.0 2.4 372 720 ?? Is 10:44PM 0:02.23
>> /usr/local/sbi
>> root 196 0.0 1.1 460 328 v0 Is 10:44PM 0:00.19 -csh (csh)
>> root 197 0.0 1.8 180 544 v1 Is+ 10:44PM 0:00.03
>> /usr/libexec/g
>> root 198 0.0 1.8 180 544 v2 Is+ 10:44PM 0:00.03
>> /usr/libexec/g
>> root 204 0.0 1.5 216 460 v0 S+ 10:44PM 0:00.22 script
huang
>> root 205 0.0 1.1 456 336 p0 Ss 10:44PM 0:00.13 -h -i
(csh)
>> root 230 0.0 1.7 228 492 ?? Is 10:51PM 0:00.00 natd
>> -interfac
>> root 0 0.0 0.0 0 0 ?? DLs 10:44PM 0:00.01 (swapper)
>>
>> fall.net1.cs{root}:ipfw -t list
>> 00100 Wed Mar 24 22:51:37 1999 divert 8668 ip from any to any via ed0
>> 00200 Wed Mar 24 22:50:09 1999 allow ip from any to any
>> 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
>>
>> fall.net1.cs{root}:ping 172.16.1.7
>> PING 172.16.1.7 (172.16.1.7): 56 data bytes
>> ^C
>> --- 172.16.1.7 ping statistics ---
>> 2 packets transmitted, 0 packets received, 100% packet loss
>>
>> fall.net1.cs{root}:ipfw -t list
>> 00100 Wed Mar 24 22:52:36 1999 divert 8668 ip from any to any via ed0
>> 00200 Wed Mar 24 22:50:09 1999 allow ip from any to any
>> 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
>>
>> fall.net1.cs{root}:netstat -nr
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif
Expire
>> 127.0.0.1 127.0.0.1 UH 0 120 lo0
>> 172.16 link#1 UC 0 0
>> 172.16.1.7 link#1 UHLW 0 8
>> 172.18 link#2 UC 0 0
>>
>> fall.net1.cs{root}:netstat -r
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif
Expire
>> localhost localhost UH 0 120 lo0
>> 172.16 link#1 UC 0 0
>> september link#1 UHLW 0 8
>> 172.18 link#2 UC 0 0
>>
>> fall.net1.cs{root}:netstat -i
>> Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
>> ed0 1500 <Link> 00.40.95.76.90.4b 8 0 1 0
0
>> ed0 1500 172.16 fall 8 0 1 0
0
>> ed1 1500 <Link> 00.40.95.76.e4.d1 0 0 1 0
0
>> ed1 1500 172.18 fall.net3.cs 0 0 1 0
0
>> lp0* 1500 <Link> 0 0 0 0
0
>> tun0* 1500 <Link> 0 0 0 0
0
>> tun1* 1500 <Link> 0 0 0 0
0
>> sl0* 552 <Link> 0 0 0 0
0
>> sl1* 552 <Link> 0 0 0 0
0
>> ppp0* 1500 <Link> 0 0 0 0
0
>> ppp1* 1500 <Link> 0 0 0 0
0
>> lo0 16384 <Link> 224 0 224 0
0
>> lo0 16384 your-net localhost 224 0 224 0
0
>>
>> fall.net1.cs{root}:ifconfig -a
>> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> inet 172.16.1.6 netmask 0xffff0000 broadcast 172.16.255.255
>> ether 00:40:95:76:90:4b
>> ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> inet 172.18.1.1 netmask 0xffff0000 broadcast 172.18.255.255
>> ether 00:40:95:76:e4:d1
>> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
>> tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>> tun1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
>> sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
>> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>> ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>> inet 127.0.0.1 netmask 0xff000000
>>
>> fall.net1.cs{root}:ping 172.16.1.5
>> PING 172.16.1.5 (172.16.1.5): 56 data bytes
>> ^C
>> --- 172.16.1.5 ping statistics ---
>> 3 packets transmitted, 0 packets received, 100% packet loss
>>
>> fall.net1.cs{root}:ipfw -t list
>> 00100 Wed Mar 24 22:55:51 1999 divert 8668 ip from any to any via ed0
>> 00200 Wed Mar 24 22:55:27 1999 allow ip from any to any
>> 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
>>
>> fall.net1.cs{root}:netstat -i
>> Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
>> ed0 1500 <Link> 00.40.95.76.90.4b 12 0 1 0
0
>> ed0 1500 172.16 fall 12 0 1 0
0
>> ed1 1500 <Link> 00.40.95.76.e4.d1 0 0 1 0
0
>> ed1 1500 172.18 fall.net3.cs 0 0 1 0
0
>> lp0* 1500 <Link> 0 0 0 0
0
>> tun0* 1500 <Link> 0 0 0 0
0
>> tun1* 1500 <Link> 0 0 0 0
0
>> sl0* 552 <Link> 0 0 0 0
0
>> sl1* 552 <Link> 0 0 0 0
0
>> ppp0* 1500 <Link> 0 0 0 0
0
>> ppp1* 1500 <Link> 0 0 0 0
0
>> lo0 16384 <Link> 416 0 416 0
0
>> lo0 16384 your-net localhost 416 0 416 0
0
>>
>> fall.net1.cs{root}:netstat -r
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif
Expire
>> localhost localhost UH 0 440 lo0
>> 172.16 link#1 UC 0 0
>> june link#1 UHLW 0 3
>> 172.18 link#2 UC 0 0
>>
>> fall.net1.cs{root}:netstat -nr
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif
Expire
>> 127.0.0.1 127.0.0.1 UH 0 496 lo0
>> 172.16 link#1 UC 0 0
>> 172.16.1.5 link#1 UHLW 0 3
>> 172.18 link#2 UC 0 0
>> fall.net1.cs{root}:exit
>>
>> Script done on Wed Mar 24 22:57:10 1999
>>
>> *september's address 172.16.1.7
>> *june's address 172.16.1.5
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19990329095816.009f5960>