From owner-freebsd-ipfw Wed Dec 13 0:15:27 2000 From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 13 00:15:25 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.biographix.com (unknown [207.236.111.133]) by hub.freebsd.org (Postfix) with ESMTP id C75EA37B400 for ; Wed, 13 Dec 2000 00:15:24 -0800 (PST) Received: from bottleneck2000 ([192.168.1.12]) by mail.biographix.com (8.11.1/8.11.1) with SMTP id eBD8Fw337083 for ; Wed, 13 Dec 2000 03:15:58 -0500 (EST) Message-ID: <008401c064dd$7233c7c0$0c01a8c0@bottleneck2000> From: "Elliott Perrin" To: Subject: Problem with Natd and IPFW Date: Wed, 13 Dec 2000 03:19:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG So here is the scenario, I have a FreeBSD box configured with three interfaces, one to the Net, one to the LAN where our public servers sit, and one to the local LAN. It is a FreeBSD 4.1 box. Our public servers have routable addresses, so natd is running with the -u flag so that only the Local LAN gets translated. The kernel was compiled so without the default to accept option in the firewall. If the firewall is running without an allow all from any to any rule, natd complains with the natd failed to write packet back (permission denied) error and the local LAN cannot get anywhere out of the office. They can still get to our public servers, but they cannot go anywhere on the Internet. Once the allow ip from any to any rule is specified the problem clears up right away. (which obviously makes sense) To give you an idea of where natd is in the ruleset, I have provided a chunk of the rules below (taken from ipfw -a list) 00100 allow ip from any to any in recv lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 192.168.1.0/24 to any in recv ed0 00400 deny ip from xxx.xxx.xxx.xxx/28 to any in recv ed0 00500 deny ip from 192.168.1.0/24 to any in recv fxp0 00600 deny ip from xxx.xxx.xxx.xxx/28 to any in recv xl0 00700 deny ip from xxx.xxx.xxx.xxx/29 to any in recv fxp0 00800 deny ip from xxx.xxx.xxx.xxx/29 to any in recv xl0 00900 deny ip from any to 10.0.0.0/8 via ed0 01000 deny ip from any to 172.16.0.0/12 via ed0 01100 deny ip from any to 192.168.0.0/16 via ed0 01200 deny ip from any to 0.0.0.0/8 via ed0 01300 deny ip from any to 169.254.0.0/16 via ed0 01400 deny ip from any to 192.0.2.0/24 via ed0 01500 divert 8668 ip from any to any via ed0 01600 deny ip from 10.0.0.0/8 to any via ed0 01700 deny ip from 172.16.0.0/12 to any via ed0 01800 deny ip from 192.168.0.0/16 to any via ed0 01900 deny ip from 0.0.0.0/8 to any via ed0 02000 deny ip from 169.254.0.0/16 to any via ed0 02100 deny ip from 192.0.2.0/24 to any via ed0 Now, I decided to run natd with the -v flag to see if I could find out what the hell was going on. When I was running it without an allow ip from any to any rule, I would see aliasing from the local LAN to the external address, but no aliasing on packets coming back in. When the rule allow ip from any to any is declared, I can see the translation going both in and out. I've read through the natd and ipfw man pages, nothing seems to point to how to clear this up. Can anyone shed some light. ________________________________________ Elliott Perrin eperrin@bigorbit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message