Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Oct 1998 04:42:53 -0400
From:      "Matt Prigge" <prigge@bucknell.edu>
To:        "Bryce Newall" <data@dreamhaven.net>, <freebsd-questions@FreeBSD.ORG>
Subject:   Re: More IPFW/natd trouble, but I'm close!
Message-ID:  <093a01bdfc05$a06ee4a0$28735286@prigge.resnet.bucknell.edu>

next in thread | raw e-mail | index | archive | help
>> line referencing natd is not early enough in rc.firewall. all of your
>> packets from the internal network are being forwarded before natd gets to
>> change their network numbers (and no sane internet router will pass
>> unregistered ip addresess). try putting "ipfw add divert natd all from
any
>> to any via vx0" right before "ipfw add 65000 pass all from any to any".
If
>
>You, my friend, are a genious!  That worked.  I did notice when I booted
>my FreeBSD machine back up that the following message appeared in
>/var/log/messages:
>
>Oct 19 23:10:51 ds9 natd: failed to write packet back (No route to host)
>
>I'm assuming that's probably because it was trying to talk to something
>through vx0, which hadn't yet gotten its IP from the DHCP server.  Does
>that sound about right?


Basically what was happening is ipfw was forwarding packets from your
internal network right out onto the internet without changing their network
numbers. So, whatever router (probably on the computer youre dialing, or the
cable modem router, whichever) that came in contact with those packets first
said "whoa, hold on.. you cant have an internal network number jumpin around
on that there internet!" and dropped it (thus the "no route to host" error).
When you divert your packets through natd, natd renumbers the packets so
that they appear to come from the firewall, which has a valid, routable IP
address (makes routers happy). When the reply comes back to your firewall,
natd remembers what computer on the internal network asked for it and
renumbers it and sends it back onto the internal network.

>Also, any ideas on how I could forward packets destined for a particular
>hostname through my firewall and to the correct local host on my internal
>network?


Check the man page for natd. I think it has a section on diverting ports on
your external net to computers on the internal. Eg: if youre web server was
inside youre firewall, you could divert port 80 on your external device to
point to a machine on your internal net. I havent had a need to do this, but
i know it discusses it in the man page. Good luck!

>
>**********************************************************************
>*       Bryce Newall       *       Email: data@dreamhaven.net        *
>*               WWW: http://home.dreamhaven.net/~data                *
>*       "Insanity takes its toll.  Please have exact change."        *
>**********************************************************************
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?093a01bdfc05$a06ee4a0$28735286>