From owner-freebsd-questions Mon Aug 12 7:52:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 380C437B400 for ; Mon, 12 Aug 2002 07:52:18 -0700 (PDT) Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA02643E42 for ; Mon, 12 Aug 2002 07:52:17 -0700 (PDT) (envelope-from friar_josh@webwarrior.net) Received: from heater.vladsempire.net (12-218-27-215.client.mchsi.com [12.218.27.215]) by services.webwarrior.net (Postfix) with ESMTP id 0C22D251CF; Mon, 12 Aug 2002 09:52:22 +0000 (GMT) Subject: Re: Unable to connect to servers outside of intranet From: Josh Paetzel Reply-To: friar_josh@webwarrior.net To: Matthew Seaman Cc: Derek Sailor , freebsd-questions@FreeBSD.ORG In-Reply-To: <20020812102104.GD7021@happy-idiot-talk.infracaninophi> References: <20020812030211.47679.qmail@web20508.mail.yahoo.com> <20020812102104.GD7021@happy-idiot-talk.infracaninophi> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 12 Aug 2002 09:50:40 +0000 Message-Id: <1029145843.279.13.camel@heater.vladsempire.net> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 2002-08-12 at 10:21, Matthew Seaman wrote: > On Sun, Aug 11, 2002 at 08:02:11PM -0700, Derek Sailor wrote: > > > I have two server services running, sshd and ftpd. > > >From my internal network (192.168.0.x) on interface > > de0 I'm able to connect fine. However, from the > > internet (on my AT&T broadband cable modem) on > > interface de1 I'm unable to connect at all. > > This smells like one of two things to me --- mostly because you've > eliminated pretty much all the other options in your quite excellent > report. > > First option is a routing problem: do you have a default route > pointing out of your de1 interface? > > netstat -r > > will show you what routes you have currently, and this command will > create the route: > > route add default 123.45.67.89 > > where 123.45.67.89 should be replaced by the IP number of your de1 > interface. To make that persist across reboots, add: > > defaultrouter="123.45.67.89" > > to /etc/rc.conf. If your external address is dynamically assigned by > your ISP, then the ppp or dhclient software you're using should have a > facility to automatically handle setting up a default route for you. > > Second option is the NAT configuration on your machine. NAT is > principally designed to handle connections starting from the inside > and going out: natd keeps a record of the outgoing packet headers, so > that it can recognise packets coming back in response and forward them > on to the original source. > > The problem comes when the connection is initiated from the outside > --- what address should natd forward the packets to? There are > several '-redirect' options given in the natd(8) man page in order to > solve this problem. In your case, I think all you need to do is > redirect tcp traffic on ports 20 (ftp-data), 21 (ftp) and 22 (ssh) to > the internal interface of your machine, by adding > > --redirect_port tcp 192.168.0.1:20-22 20-22 > > to the natd flags (assuming 192.168.0.1 is the address of your de0 > interface). > > Cheers, > > Matthew If there are no redirect rules in place on a box running natd, incoming connections are routed to the natd box itself. I have a setup virtually identical to Derek's and incoming connections work fine. I doubt it would be a default route issue, since he seems to have internet connectivity. One issue that many cable users have is their providers filter various ports below 1024 in an attempt to keep their users from running servers on their networks. It sounds like from Derek's mail that he had a working setup in 3.x and it broke in 4.x though, making the port filtering scenario very unlikely. Derek, I'd like to see your rc.conf as well as the output of netstat -nr. I'm sure we can get to the bottom of this. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message