From owner-freebsd-questions Mon Oct 22 17:29:28 2001 Delivered-To: freebsd-questions@freebsd.org Received: from femail6.sdc1.sfba.home.com (femail6.sdc1.sfba.home.com [24.0.95.86]) by hub.freebsd.org (Postfix) with ESMTP id AF62437B401 for ; Mon, 22 Oct 2001 17:29:21 -0700 (PDT) Received: from brother ([24.71.32.13]) by femail6.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20011023002920.SZHV629.femail6.sdc1.sfba.home.com@brother>; Mon, 22 Oct 2001 17:29:20 -0700 Message-ID: <000801c15b59$b6f7e1c0$0301a8c0@brother> From: "Jason" To: Cc: "Brother Wolf" Subject: firewall and natd configurations Date: Mon, 22 Oct 2001 17:29:01 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C15B1F.0A12C2C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C15B1F.0A12C2C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I have a question that I've been trying to puzzle out for several = days now: I am currently running FreeBSD 4.2. The system is acting as both a gateway and a firewall on a cable = connection to two other machines. All is well for the most part, everything I want to work works, until I = try to send or receive files via ICQ. I managed to get to the point where I can send files via ICQ, the = network differentiates between the two users on the network, but I = cannot receive... from other people on cable networks. Confused yet? I = am. =20 I am able to receive files from someone on a dialup connection, but not = from a cable connection. I can actually get the request to come in, but = that's the end of it. The command dmesg shows me the attempt (I turned = logging on) but my end cannot acknowledge the request. Here's my settings so far: rc.firewall /sbin/ipfw -f flush /sbin/ipfw add 100 divert natd all from any to any via rl0 /sbin/ipfw add 1000 deny tcp from any to any 137-139 via rl0 /sbin/ipfw add 1100 deny udp from any to any 137-139 via rl0 /sbin/ipfw add 3000 allow log tcp from any to 24.71.32.13 5000-5999 via = rl0 /sbin/ipfw add 3100 allow log tcp from 192.168.1.5 5000-5499 to = 24.71.32.13 5000-5499 via rl0 /sbin/ipfw add 3200 allow log tcp from 192.168.1.3 5500-5999 to = 24.71.32.13 5500-5999 via rl0 /sbin/ipfw add 4000 pass all from any to any via rl1 rc.conf (those lines that are relevant anyway) hostname=3D"mach1.wiredwolf.net" network_interfaces=3D"lo0 rl0 rl1" ifconfig_lo0=3D"inet 127.0.0.1" ifconfig_rl0=3D"DHCP" ifconfig_rl1=3D"inet 192.168.1.1 netmask 255.255.255.0" named_enable=3D"YES" gateway_enable=3D"YES" natd_enable=3D"YES" natd_interface=3D"rl0" firewall_enable=3D"YES" I have been trying to run the following natd commands to redirect ports = to individual systems on the network: /sbin/natd -redirect_port tcp 192.168.1.5:5000-5499 = 24.71.32.13:5000-5499 -n rl0 /sbin/natd -redirect_port tcp 192.168.1.3:5500-5999 = 24.71.32.13:5500-5999 -n rl0 Unfortunately each time I try I get the following error: natd: Unable to bind divert socket.: Address already in use I'm assuming the address is the alias address or the remote address (-n = rl0) but it's not specific. I haven't been able to figure out how to = get around this problem. It seems that once natd is specified as = diverted by the ipfw firewall rules the socket is closed to any = modifications? If I run these commands before the firewall rules are in = place it gets confused because it can't find the addresses. If I run it = after, it says the address is already in use... ... Any ideas? ------=_NextPart_000_0005_01C15B1F.0A12C2C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello, I have a question that I've been = trying to=20 puzzle out for several days now:
 
I am currently running FreeBSD = 4.2.
The system is acting as both a gateway = and a=20 firewall on a cable connection to two other machines.
 
All is well for the most part, = everything I want to=20 work works, until I try to send or receive files via ICQ.
 
I managed to get to the point where I = can send=20 files via ICQ, the network differentiates between the two users on the = network,=20 but I cannot receive... from other people on cable networks.  = Confused=20 yet?  I am. 
 
I am able to receive files from someone = on a dialup=20 connection, but not from a cable connection.  I can actually get = the=20 request to come in, but that's the end of it.  The command dmesg = shows me=20 the attempt (I turned logging on) but my end cannot acknowledge the=20 request.
 
Here's my settings so far:
 
rc.firewall
 
/sbin/ipfw -f flush
/sbin/ipfw add = 100 divert=20 natd all from any to any via rl0
/sbin/ipfw add 1000 deny tcp from = any to any=20 137-139 via rl0
/sbin/ipfw add 1100 deny udp from any to any 137-139 = via=20 rl0
/sbin/ipfw add 3000 allow log tcp from any to 24.71.32.13 = 5000-5999 via=20 rl0
/sbin/ipfw add 3100 allow log tcp from 192.168.1.5 5000-5499 to=20 24.71.32.13 5000-5499 via rl0
/sbin/ipfw add 3200 allow log tcp from=20 192.168.1.3 5500-5999 to 24.71.32.13 5500-5999 via rl0
/sbin/ipfw add = 4000=20 pass all from any to any via rl1
rc.conf (those lines that are relevant=20 anyway)
 
hostname=3D"mach1.wiredwolf.net"
network_interfaces=3D"lo0 = rl0=20 rl1"
ifconfig_lo0=3D"inet=20 127.0.0.1"
ifconfig_rl0=3D"DHCP"
ifconfig_rl1=3D"inet 192.168.1.1 = netmask=20 255.255.255.0"
named_enable=3D"YES"
gateway_enable=3D"YES"
natd_= enable=3D"YES"
natd_interface=3D"rl0"
firewall_enable=3D"YES"
I have been trying to run the following = natd=20 commands to redirect ports to individual systems on the = network:
 
/sbin/natd -redirect_port tcp = 192.168.1.5:5000-5499=20 24.71.32.13:5000-5499 -n rl0
/sbin/natd=20 -redirect_port tcp 192.168.1.3:5500-5999 24.71.32.13:5500-5999 -n = rl0
Unfortunately each time I try I get the following error:
 
natd: Unable to bind divert socket.: Address already in use
 
I'm assuming the address is the alias address or the remote address = (-n=20 rl0) but it's not specific.  I haven't been able to figure out how = to get=20 around this problem.  It seems that once natd is specified as = diverted by=20 the ipfw firewall rules the socket is closed to any modifications?  = If I=20 run these commands before the firewall rules are in place it gets = confused=20 because it can't find the addresses.  If I run it after, it says = the=20 address is already in use...
 
... Any ideas?
 ------=_NextPart_000_0005_01C15B1F.0A12C2C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message