From owner-freebsd-questions  Mon Aug  6 14:26:57 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62])
	by hub.freebsd.org (Postfix) with ESMTP id 8EE0837B403
	for <freebsd-questions@FreeBSD.ORG>; Mon,  6 Aug 2001 14:26:54 -0700 (PDT)
	(envelope-from cjc@earthlink.net)
Received: from blossom.cjclark.org (dialup-209.247.140.49.Dial1.SanJose1.Level3.net [209.247.140.49])
	by snipe.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id OAA23366;
	Mon, 6 Aug 2001 14:26:53 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.4/8.11.3) id f76LQhm03465;
	Mon, 6 Aug 2001 14:26:43 -0700 (PDT)
	(envelope-from cjc)
Date: Mon, 6 Aug 2001 14:26:43 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Tabor Kelly <pdxmax@dsl-only.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: natd redirect_port only works from the outside
Message-ID: <20010806142643.A449@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <3416923460.20010805161033@dsl-only.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3416923460.20010805161033@dsl-only.net>; from pdxmax@dsl-only.net on Sun, Aug 05, 2001 at 04:10:33PM -0700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Aug 05, 2001 at 04:10:33PM -0700, Tabor Kelly wrote:
> Okay. After much fuss I discovered that I was redirecting ports
> through natd, but from the outside only!

[snip]

> Does anybody have any ideas?

Yes. This is the expected behavior. You didn't post your ipfw(8)
rules, but you probably have one like,

  divert natd ip from any to any via xl0

Now, when a machine on your internal network sends a packet to
63.105.29.28 the packet comes into the machine on xl1, and the packet
does not match that rule. I assume the packet will get passed at
another rule where it is handed the OS's network stack which will
process it, notice the packet is for meant for itself and deal with it
accordingly. Thus, the packet never is processed on interface xl0 and
never passed through natd(8).

There are basically two ways to handle this, split name services or
ugly, ugly NAT games. For most setups, I would recommend split name
services (split DNS or hacked /etc/hosts files), but the best option
really depends on your particular site.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message