Date: Fri, 24 Dec 1999 00:01:56 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: blackice@muller.net (Sonny Van Hook) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Stuck debugging NATD Message-ID: <199912240501.AAA40197@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <3.0.1.32.19991223202408.006bd45c@muller.net> from Sonny Van Hook at "Dec 23, 1999 08:24:08 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Sonny Van Hook wrote, [snip] > /etc/rc.conf > # --- Important info about the network --- # SV 12/23 > ifconfig_lnc1="inet 192.168.0.1 netmask 255.255.255.0" #Internal > ifconfig_de0="inet 216.102.106.36 netmask 255.255.255.0" #External > ifconfig_lo0="inet 127.0.0.1" #Loopback > defaultrouter="216.102.106.254" > gateway_enable="YES" > firewall_enable="YES" > firewall_type="simple" > natd_enable="YES" #This isredundant since it's > natd_interface="de0" #manually config'd in rc.firewall No, it's not redundant. The 'natd_enable' variable is used in rc.network to actually run natd. > /etc/rc.firewall > ### Flush out the list before we begin. > /sbin/ipfw -f flush > ### Divert all packets before applying any rules > /sbin/ipfw add divert natd all from any to any via de0 > ### Only in rare cases do you want to change these rules > /sbin/ipfw add 100 pass all from any to any via lo0 > /sbin/ipfw add > 200 deny all from any to 127.0.0.0/8 > > ## (this is all from 'simple' profile in default rc.firewall) > # This is a prototype setup for a simple firewall. Configure > # this machine as a named server and ntp server, and point all > # the machines on the inside at this machine for those services. > > ### set these to your outside interface > ### network and netmask and ip > oif="de0" > onet="216.102.106.0" # Pacbell's DSL subnet > omask="255.255.255.0" > oip="216.102.106.36" # Our DSL address > > ### set these to your inside interface > ### network and netmask and ip > iif="lnc1" > inet="192.168.0.0" > imask="255.255.255.0" > iip="192.168.0.1" # This machine's LAN IP > <remaining rules snipped for brevity> > > I can access the internet from the FreeBSD machine, but none > of the machines on my local lan can get out. I usually test > using telnet by name, then by IP. > > As you can see, my local net uses the 192.168.0.x address > space. All machines are configured to use 192.168.0.1 as > their default gateway. I'm pretty sure this is not a routing > problem because when I use the 'open' (allow all) profile, > I have the same problem. If you do tcpdumps on the FreeBSD machine, do you see packets coming in lnc1 and going nowhere? > Lastly, I see this right at the end of 'dmesg': > IP packet filtering initialized, divert disabled, rule-based forwarding > disabled, logging disabled > ip_fw_ctl: invalid command Did you recompile your kernel with (at least), options IPFIREWALL #firewall options IPDIVERT #divert sockets Included? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912240501.AAA40197>