From owner-freebsd-ipfw  Tue Apr  4 23: 4: 8 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from MailAndNews.com (MailAndNews.com [199.29.68.160])
	by hub.freebsd.org (Postfix) with ESMTP id CDB9737BC6C
	for <freebsd-ipfw@FreeBSD.ORG>; Tue,  4 Apr 2000 23:04:03 -0700 (PDT)
	(envelope-from mheffner@mailandnews.com)
Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Wed, 5 Apr 2000 02:04:01 -0400
X-WM-Posted-At: MailAndNews.com; Wed, 5 Apr 00 02:04:01 -0400
Content-Length: 3822
Message-ID: <XFMail.20000405020339.mheffner@mailandnews.com>
X-Mailer: XFMail 1.4.4 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <20000404231711.A40889@cc942873-a.ewndsr1.nj.home.com>
Date: Wed, 05 Apr 2000 02:03:39 -0400 (EDT)
Reply-To: Mike Heffner <spock@techfour.net>
From: Mike Heffner <mheffner@mailandnews.com>
To: cjclark@home.com
Subject: Re: Problems with natd
Cc: freebsd-ipfw@FreeBSD.ORG, Mike Heffner <spock@techfour.net>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On 05-Apr-2000 Crist J. Clark wrote:
 
  |> 
  |> Using the following three ipfw entries:
  |> 
  |>         allow ip from any to any via ep0
  |>         divert natd from any to any via ed0
  | 
  | ITYM,    "divert natd ip from any to any via ed0"

Yep, that's what I meant....human translating problem ;)


  | 
  | I assume you upgraded to 4.0-STABLE? No, I have not noticed anything
  | like this.
  | 

No, like I said I've been tracking current on the box, and I was just about a
month behind on my builds, so from about an early March current to an early
April current.

  |> Thanks, let me know if there is any more information I can provide
  | 
  | Let's get it all,
  | 

This is not my full firewall, network setup, but I have tested it with these
simplified settings ( and it still doesn't seem to work ):

natd.conf file:

interface ed0
same_ports yes
dynamic yes

ipfw rules:

00010 176 14949 count log ip from any to any
00015  24  2634 allow ip from any to any via lo0
00100   0     0 allow ip from any to any via ep0
00200   6   248 divert 8668 ip from any to any via ed0
00300  57  6332 allow ip from any to any
65535   1    28 deny ip from any to any


$ ifconfig -a
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255
        ether 00:40:05:63:46:3d 
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        ether 00:20:af:a1:05:8b 
        media: 10baseT/UTP
        supported media: 10baseT/UTP
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000 

[a.b.c.d == outside, real, ip]

$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
default            a.b.c.d            UGSc       19       94      ed0
10/24              link#2             UC          0        0      ep0 =>
127.0.0.1          127.0.0.1          UH          1       20      lo0
a.b.c              link#1             UC          0        0      ed0 =>
a.b.c.d            0:d0:58:c7:98:38   UHLW       19        0      ed0   1200

[a.b.c.d == my cable modem router]

also, here is part of a natd verbose output log, first part is successful
ICMP'ing, second is an unsuccessful ftp connect attempt:

Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
           [ICMP] a.b.c.d -> e.f.g.h 8(0)
In  [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to
           [ICMP] e.f.g.h -> a.b.c.d 0(0)
Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
           [ICMP] a.b.c.d -> e.f.g.h 8(0)
Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
           [ICMP] a.b.c.d -> e.f.g.h 8(0)
Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to
           [ICMP] a.b.c.d -> e.f.g.h 8(0)
In  [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to
           [ICMP] e.f.g.h -> a.b.c.d 0(0)



Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
           [TCP] a.b.c.d:1026 -> e.f.g.h:21
Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
           [TCP] a.b.c.d:1026 -> e.f.g.h:21
Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
           [TCP] a.b.c.d:1026 -> e.f.g.h:21
Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
           [TCP] a.b.c.d:1026 -> e.f.g.h:21


[ a.b.c.d == my ip address
  e.f.g.h == an internet server ip ]


Hope that helps,

...I will probably have more free time later in the week to try some other
combinations and what not, and maybe take alook at the natd code or something

/****************************************
 * Mike Heffner <spock@techfour.net>    *
 * Fredericksburg, VA      ICQ# 882073  *
 * Sent at: 05-Apr-2000 -- 00:23:56 EST *
 * http://my.ispchannel.com/~mheffner   *
 ****************************************/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message