From owner-freebsd-questions Thu Dec 23 20:57:26 1999 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id BA05F15783 for ; Thu, 23 Dec 1999 20:57:22 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id AAA40197; Fri, 24 Dec 1999 00:01:57 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199912240501.AAA40197@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Stuck debugging NATD In-Reply-To: <3.0.1.32.19991223202408.006bd45c@muller.net> from Sonny Van Hook at "Dec 23, 1999 08:24:08 pm" To: blackice@muller.net (Sonny Van Hook) Date: Fri, 24 Dec 1999 00:01:56 -0500 (EST) Cc: freebsd-questions@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Sonny Van Hook wrote, [snip] > /etc/rc.conf > # --- Important info about the network --- # SV 12/23 > ifconfig_lnc1="inet 192.168.0.1 netmask 255.255.255.0" #Internal > ifconfig_de0="inet 216.102.106.36 netmask 255.255.255.0" #External > ifconfig_lo0="inet 127.0.0.1" #Loopback > defaultrouter="216.102.106.254" > gateway_enable="YES" > firewall_enable="YES" > firewall_type="simple" > natd_enable="YES" #This isredundant since it's > natd_interface="de0" #manually config'd in rc.firewall No, it's not redundant. The 'natd_enable' variable is used in rc.network to actually run natd. > /etc/rc.firewall > ### Flush out the list before we begin. > /sbin/ipfw -f flush > ### Divert all packets before applying any rules > /sbin/ipfw add divert natd all from any to any via de0 > ### Only in rare cases do you want to change these rules > /sbin/ipfw add 100 pass all from any to any via lo0 > /sbin/ipfw add > 200 deny all from any to 127.0.0.0/8 > > ## (this is all from 'simple' profile in default rc.firewall) > # This is a prototype setup for a simple firewall. Configure > # this machine as a named server and ntp server, and point all > # the machines on the inside at this machine for those services. > > ### set these to your outside interface > ### network and netmask and ip > oif="de0" > onet="216.102.106.0" # Pacbell's DSL subnet > omask="255.255.255.0" > oip="216.102.106.36" # Our DSL address > > ### set these to your inside interface > ### network and netmask and ip > iif="lnc1" > inet="192.168.0.0" > imask="255.255.255.0" > iip="192.168.0.1" # This machine's LAN IP > > > I can access the internet from the FreeBSD machine, but none > of the machines on my local lan can get out. I usually test > using telnet by name, then by IP. > > As you can see, my local net uses the 192.168.0.x address > space. All machines are configured to use 192.168.0.1 as > their default gateway. I'm pretty sure this is not a routing > problem because when I use the 'open' (allow all) profile, > I have the same problem. If you do tcpdumps on the FreeBSD machine, do you see packets coming in lnc1 and going nowhere? > Lastly, I see this right at the end of 'dmesg': > IP packet filtering initialized, divert disabled, rule-based forwarding > disabled, logging disabled > ip_fw_ctl: invalid command Did you recompile your kernel with (at least), options IPFIREWALL #firewall options IPDIVERT #divert sockets Included? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message