From owner-freebsd-security Wed Apr 12 17:39:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.securify.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with SMTP id 0480037B9E1 for ; Wed, 12 Apr 2000 17:39:31 -0700 (PDT) (envelope-from paulm@securify.com) Received: by relay.securify.com; id RAA19569; Wed, 12 Apr 2000 17:41:45 -0700 Received: from unknown(10.5.63.6) by relay.securify.com via smap (V5.5) id xma019555; Wed, 12 Apr 00 17:40:51 -0700 Received: from kestrel (dude.securify.com [10.5.63.6]) by dude.securify.com (8.9.3/8.9.3) with ESMTP id RAA82090; Wed, 12 Apr 2000 17:40:50 -0700 (PDT) (envelope-from paulm@securify.com) Message-Id: <4.2.0.58.20000412163416.00b74a20@localhost> X-Sender: paulm@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 12 Apr 2000 16:41:54 -0700 To: "Ron Smith" , freebsd-security@FreeBSD.ORG From: Paul Mielke Subject: Re: NAT and /etc/rc.firewall Cc: support@cdrom.com In-Reply-To: <20000413002323.98449.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:23 PM 4/12/00 -0700, Ron Smith wrote: ... >NAT doesn't work for anyone on the LAN trying to reach the internet through 'firewall_type="simple"', but works fine with 'firewall_type="open"'. Do you think the above setting are correct, and in the right place. > >Can anyone give me a hand? Everything looks O.K. to me, unless I'm missing something. Maybe there's something I'm missing altogether when I try to go 'firewall_type="simple"' and use those stock rules, as is, in '/etc/rc.firewall'. If I need to make changes there, could someone mail me a sample of some rules that work for NAT+ipfw. Hi, Ron. I just took a quick look at the stock rc.firewall and I don't think that's enough info to allow remote diagnosis of the problem. I don't have access to my firewall from my current location, so I can't send you my working config files at this point. Maybe later this evening. For now, I would suggest that you try to diagnose the problem by either using "ipfw show" or by using the 'log' keyword on all the ipfw rules to figure out which rule is the one that is trashing your packets. For example, do the following: ipfw show > fw.stats.after do some operation that fails ipfw show > fw.stats.after ipfw will update the counters on each rule every time one of them fires. By diffing the two stats files, you can figure out which rule is the offending one. When I went through the initial phase of getting my setup working, I spent a lot of time iterating on the above steps interspersed with poring over the ipfw manpage. Regards, Paul Paul Mielke paulm@alumni.stanford.org Securify, Inc. 650-812-9400 x4118 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message