Date: Mon, 17 Jun 2002 21:57:13 -0700 (PDT) From: "Nielsen" <nielsen@memberwebs.com> To: "grimm" <grimm@planetquake.com> Cc: <freebsd-security@freebsd.org> Subject: Re: ipfw-ntad-jail Message-ID: <20020618045713.6F80D37B440@hub.freebsd.org> References: <20020616134201.529b01aa.grimm@planetquake.com><200206170035.g5H0Zr3g029046@mail2.gamespy.com> <20020616224440.46dcdfaa.grimm@planetquake.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Lastly, I would check that the packets are in fact getting NAT'd in. > > It may be the out that's the problem. > > How do I check that? I would disable the onepass setting above and put appropriate count and allow rules around the divert rule in the firewall. Then you could see exactly how it was getting translated. Secondly you could run natd with the logging option and you'll get some statistics out of there. > >I think in addition to the > > redirect_tcp you also have to do a proper NAT thing. In my > > inderstanding, redirections open holes to let stuff in, but for the > > packets to get back out proper Natting is required. OTOH, most of my > > experience is with ipnat, so I'm not sure here. > > I am not sure if there is a proper nat thing required, cause > from within the machine, I can ssh and telnet to the jail no problem. > Do you think, given that it works from within, that it could still be > a problem? Within your machine normal routing is used to access any aliased IP. In fact it would probably be better if before the divert rule in your firewall you specifically allowed local traffic (so it doesn't get NAT'd). > I am trying right now, just to figure out why my web server, > and ssh on the host (dagobah) aren't responding. It seems like there > is something fundamentally wrong with my firewall rules. Hmmm, yes you're probably right there. Try enabling logging on any rule that blocks and then look at /var/log/security to see exactly which one it is and for which packets. Sometimes it's hard to tell from just looking at the rules what actually happens. All the best, Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020618045713.6F80D37B440>