Date: Mon, 22 Oct 2001 17:29:01 -0700 From: "Jason" <brotherwolf@wiredwolf.net> To: <freebsd-questions@FreeBSD.ORG> Cc: "Brother Wolf" <brotherwolf@wiredwolf.net> Subject: firewall and natd configurations Message-ID: <000801c15b59$b6f7e1c0$0301a8c0@brother>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C15B1F.0A12C2C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I have a question that I've been trying to puzzle out for several = days now: I am currently running FreeBSD 4.2. The system is acting as both a gateway and a firewall on a cable = connection to two other machines. All is well for the most part, everything I want to work works, until I = try to send or receive files via ICQ. I managed to get to the point where I can send files via ICQ, the = network differentiates between the two users on the network, but I = cannot receive... from other people on cable networks. Confused yet? I = am. =20 I am able to receive files from someone on a dialup connection, but not = from a cable connection. I can actually get the request to come in, but = that's the end of it. The command dmesg shows me the attempt (I turned = logging on) but my end cannot acknowledge the request. Here's my settings so far: rc.firewall /sbin/ipfw -f flush /sbin/ipfw add 100 divert natd all from any to any via rl0 /sbin/ipfw add 1000 deny tcp from any to any 137-139 via rl0 /sbin/ipfw add 1100 deny udp from any to any 137-139 via rl0 /sbin/ipfw add 3000 allow log tcp from any to 24.71.32.13 5000-5999 via = rl0 /sbin/ipfw add 3100 allow log tcp from 192.168.1.5 5000-5499 to = 24.71.32.13 5000-5499 via rl0 /sbin/ipfw add 3200 allow log tcp from 192.168.1.3 5500-5999 to = 24.71.32.13 5500-5999 via rl0 /sbin/ipfw add 4000 pass all from any to any via rl1 rc.conf (those lines that are relevant anyway) hostname=3D"mach1.wiredwolf.net" network_interfaces=3D"lo0 rl0 rl1" ifconfig_lo0=3D"inet 127.0.0.1" ifconfig_rl0=3D"DHCP" ifconfig_rl1=3D"inet 192.168.1.1 netmask 255.255.255.0" named_enable=3D"YES" gateway_enable=3D"YES" natd_enable=3D"YES" natd_interface=3D"rl0" firewall_enable=3D"YES" I have been trying to run the following natd commands to redirect ports = to individual systems on the network: /sbin/natd -redirect_port tcp 192.168.1.5:5000-5499 = 24.71.32.13:5000-5499 -n rl0 /sbin/natd -redirect_port tcp 192.168.1.3:5500-5999 = 24.71.32.13:5500-5999 -n rl0 Unfortunately each time I try I get the following error: natd: Unable to bind divert socket.: Address already in use I'm assuming the address is the alias address or the remote address (-n = rl0) but it's not specific. I haven't been able to figure out how to = get around this problem. It seems that once natd is specified as = diverted by the ipfw firewall rules the socket is closed to any = modifications? If I run these commands before the firewall rules are in = place it gets confused because it can't find the addresses. If I run it = after, it says the address is already in use... ... Any ideas? ------=_NextPart_000_0005_01C15B1F.0A12C2C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hello, I have a question that I've been = trying to=20 puzzle out for several days now:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I am currently running FreeBSD = 4.2.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The system is acting as both a gateway = and a=20 firewall on a cable connection to two other machines.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>All is well for the most part, = everything I want to=20 work works, until I try to send or receive files via ICQ.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I managed to get to the point where I = can send=20 files via ICQ, the network differentiates between the two users on the = network,=20 but I cannot receive... from other people on cable networks. = Confused=20 yet? I am. </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I am able to receive files from someone = on a dialup=20 connection, but not from a cable connection. I can actually get = the=20 request to come in, but that's the end of it. The command dmesg = shows me=20 the attempt (I turned logging on) but my end cannot acknowledge the=20 request.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Here's my settings so far:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>rc.firewall</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>/sbin/ipfw -f flush<BR>/sbin/ipfw add = 100 divert=20 natd all from any to any via rl0<BR>/sbin/ipfw add 1000 deny tcp from = any to any=20 137-139 via rl0<BR>/sbin/ipfw add 1100 deny udp from any to any 137-139 = via=20 rl0<BR>/sbin/ipfw add 3000 allow log tcp from any to 24.71.32.13 = 5000-5999 via=20 rl0<BR>/sbin/ipfw add 3100 allow log tcp from 192.168.1.5 5000-5499 to=20 24.71.32.13 5000-5499 via rl0<BR>/sbin/ipfw add 3200 allow log tcp from=20 192.168.1.3 5500-5999 to 24.71.32.13 5500-5999 via rl0<BR>/sbin/ipfw add = 4000=20 pass all from any to any via rl1<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2>rc.conf (those lines that are relevant=20 anyway)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial=20 size=3D2>hostname=3D"mach1.wiredwolf.net"<BR>network_interfaces=3D"lo0 = rl0=20 rl1"<BR>ifconfig_lo0=3D"inet=20 127.0.0.1"<BR>ifconfig_rl0=3D"DHCP"<BR>ifconfig_rl1=3D"inet 192.168.1.1 = netmask=20 255.255.255.0"<BR>named_enable=3D"YES"<BR>gateway_enable=3D"YES"<BR>natd_= enable=3D"YES"<BR>natd_interface=3D"rl0"<BR>firewall_enable=3D"YES"<BR></= FONT></DIV> <DIV><FONT face=3DArial size=3D2>I have been trying to run the following = natd=20 commands to redirect ports to individual systems on the = network:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>/sbin/natd -redirect_port tcp = 192.168.1.5:5000-5499=20 24.71.32.13:5000-5499 -n rl0<BR></FONT><FONT face=3DArial = size=3D2>/sbin/natd=20 -redirect_port tcp 192.168.1.3:5500-5999 24.71.32.13:5500-5999 -n = rl0<BR></DIV> <DIV>Unfortunately each time I try I get the following error:</DIV> <DIV> </DIV> <DIV>natd: Unable to bind divert socket.: Address already in use</DIV> <DIV> </DIV> <DIV>I'm assuming the address is the alias address or the remote address = (-n=20 rl0) but it's not specific. I haven't been able to figure out how = to get=20 around this problem. It seems that once natd is specified as = diverted by=20 the ipfw firewall rules the socket is closed to any modifications? = If I=20 run these commands before the firewall rules are in place it gets = confused=20 because it can't find the addresses. If I run it after, it says = the=20 address is already in use...</DIV> <DIV> </DIV> <DIV>... Any ideas?</DIV></FONT></BODY></HTML> ------=_NextPart_000_0005_01C15B1F.0A12C2C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c15b59$b6f7e1c0$0301a8c0>