From owner-freebsd-questions Mon Mar 6 19:33:46 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 2080937B9C4 for ; Mon, 6 Mar 2000 19:33:39 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA70817; Mon, 6 Mar 2000 22:12:34 -0500 (EST) (envelope-from cjc) Date: Mon, 6 Mar 2000 22:12:34 -0500 From: "Crist J. Clark" To: Bhishan Hemrajani Cc: mires , freebsd-questions@FreeBSD.ORG Subject: Re: aliasing natd and FW Message-ID: <20000306221233.B70609@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <000c01bf8736$ba87a9e0$9349dbc1@eu.org> <200003060546.VAA00360@cytosine.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200003060546.VAA00360@cytosine.dhs.org>; from bhishan@cytosine.dhs.org on Sun, Mar 05, 2000 at 09:46:46PM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Mar 05, 2000 at 09:46:46PM -0800, Bhishan Hemrajani wrote: > The natd_interface in rc.conf is suppost to be a device name. > (de1, xl0, ed0, etc.) > > It should be the interface connected to the connection on the internet. Actually, the rc.network file supports IP addresses given in 'natd_interface,' if [ X"${natd_enable}" = X"YES" -a -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program} ${natd_flags} ${natd_ifarg} fi echo '.' However... > [Charset iso-8859-4 unsupported, filtering to ASCII...] > > Hi there. > > > > I'm using 3.4-RELEASE FreeBSD one network cart: > > with FW & natd there are some lines form my config files > > > > rc.config: > > ifconfig_ed2="inet 193.219.73.147 netmask 255.255.255.0" > > defaultrouter="193.219.73.44" > > gateway_enable="YES" > > #natd > > natd_program="/sbin/natd" > > natd_enable="YES" > > natd_interface="193.219.73.147" > > natd_flags="" > > #Fire wall > > firewall_enable="YES" > > firewall_type="OPEN" > > > > rc.local > > ifconfig ed2 alias 192.168.0.11 netmask 255.255.255.0 Including, ifconfig_ed2_alias0="192.168.0.11 netmask 255.255.255.0" In rc.conf is the prefered way to do this. > > rc.firewall > > $fwcmd add divert natd all from any to any via ${natd_interface} > > $fwcmd add 10200 deny all from 192.168.0.0:255.255.0.0 to any via 193.219.73.147 > > $fwcmd add 10300 deny all from any to 192.168.0.0:255.255.0.0 via 193.219.73.147 You need to realize that all packets traveling over ed2 match these second two rules. From ipfw(8), via ipno Packet must be going through the interface having IP address ipno. > > From my natd computer ant from the local network everything works just fine except: > > > > 1. from my local LAN (windoze PC's) i can't use tracert. ping go ok. but tracert: > > > > Tracing route to hp710-3.lei.lt [193.219.73.43] > > over a maximum of 30 hops: > > > > 1 2 ms 1 ms 1 ms 193.219.73.147 > > 2 3 ms 3 ms 3 ms 193.219.73.147 > > 3 12 ms 12 ms 12 ms 193.219.73.147 > > 4 23 ms 29 ms 30 ms 193.219.73.147 > > ... > > 12 104 ms 70 ms 110 ms hp710-3.lei.lt [193.219.73.43] > > why it don't detect real servers IP/DNS ? > > (from my proxy computter everything goes just fine) Your DNS setup on a Winbox is a whole other issue. > > 2. the second problem: i realy cann't build a FW. i mean rule 10200 just block all > > trafic from local LAN. (it means i can't block eavil private LAN's IP's from > > outside ?). what can i do ? What you need to do is get two interfaces. It's pretty well known natd(8) does not work well with a single interface; it was not designed for it. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message