From owner-freebsd-questions Mon Jul 12 21: 8:48 1999 Delivered-To: freebsd-questions@freebsd.org Received: from smtp3.hawaii.rr.com (smtp3.hawaii.rr.com [204.210.97.13]) by hub.freebsd.org (Postfix) with ESMTP id 146CD152C0 for ; Mon, 12 Jul 1999 21:08:42 -0700 (PDT) (envelope-from art@hawaii.rr.com) Received: from taz - 24.94.75.210 by smtp3.hawaii.rr.com with Microsoft SMTPSVC(5.5.1774.114.11); Mon, 12 Jul 1999 17:56:59 -1000 Message-Id: <3.0.6.32.19990712180811.03074230@clients1.hawaii.rr.com> X-Sender: art@clients1.hawaii.rr.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 12 Jul 1999 18:08:11 -1000 To: "Michael P. Neuman" From: "Art Neilson, KH7PZ" Subject: Re: natd/ipfw question. Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <000601becc41$5208c6c0$04c809c0@kramer.cmsnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG did you enable natd in rc.conf? The following code in rc.firewall needs to execute before the rest of the rules get setup: ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then $fwcmd add divert natd all from any to any via ${natd_interface} fi in rc.conf you need: natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="ep0" # Public interface or IPaddress to use. natd_flags="-l -u -dynamic" # Additional flags for natd. note that my outside interface is ep0, a 3COM 3C509B-TP ISA card. You need to set yours to whatever your driver is. I made my own "custom" firewall rules in rc.firewall, i.e. firewall_type="custom" in rc.conf :^). I can share them with you if you want, send me private email. My rules do pretty much what you describe. You will have to tweak them for your particular needs. At 04:34 AM 7/12/99 -0400, you wrote: >Well, I guess you are right. But, I just thought of another question. >Right now I have the basic OPEN firewall setting. As soon as I go and add >"real" rules, NATD doesn't seem to be able to function. For example, I want >to deny everything and allow only those outgoing and incomming connections >which I "say" are alright. How come when I deny everything else it blocks >NAT from functioning. I've asked this before but nobody could seem to >answer it. Thanks again. >-----Original Message----- >From: Art Neilson, KH7PZ >To: Michael P. Neuman >Cc: freebsd-questions@FreeBSD.ORG >Date: Monday, July 12, 1999 6:25 PM >Subject: Re: natd/ipfw question. > > >>At 01:59 AM 7/12/99 -0400, you wrote: >>> Hello. I'm currently running FreeBSD-3.2-RELEASE. I have natd and ipfw >>working > great right now I'm also runninng DNS. Currently, it directs my >>internal network > of unregistered IP's to the internet. What I want to >>also do is the reverse. I > want to be able to telnet to my computer with >>the unregistered address from the > internet. I.E.: I'm on the internet. >>I want to connect to kramer.cmsnet.net (IP > 192.168.1.2) from the >>internet. Is there a way to set up NATD/IPFW to do this??? > Thanks in >>advance. I hope you can understand what I'm saying >>> -- >>> Michael P. Neuman - Consultant, NeuTech Computer Consulting >> >>Wouldn't that defeat the purpose of the firewall? Besides, those >unregistered >>IP addresses won't be honored by any DNS servers on the outside so you'd >>have to use the IP address. Not sure that would even work, I don't think >any >>router would route that address on the outside. >>-- >> __ >> / ) _/_ It is a capital mistake to theorise before one has data. >> /--/ __ / Insensibly one begins to twist facts to suit theories, >>/ (_/ (_<__ Instead of theories to suit facts. >> -- Sherlock Holmes, "A Scandal in Bohemia" >>Arthur W. Neilson III, KH7PZ >>Bank of Hawaii Tech Support >>art@hawaii.rr.com >> >> > > -- __ / ) _/_ It is a capital mistake to theorise before one has data. /--/ __ / Insensibly one begins to twist facts to suit theories, / (_/ (_<__ Instead of theories to suit facts. -- Sherlock Holmes, "A Scandal in Bohemia" Arthur W. Neilson III, KH7PZ Bank of Hawaii Tech Support art@hawaii.rr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message