Date: Wed, 19 Sep 2001 17:22:15 +0300 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Vladimir Terziev <vladimirt@rila.bg> Cc: freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Problem with IPFW and NATD (refined) !!! Message-ID: <20010919172215.E66974@sunbay.com> In-Reply-To: <200109191406.f8JE6cc12197@star.rila.bg>; from vladimirt@rila.bg on Wed, Sep 19, 2001 at 05:06:38PM %2B0300 References: <200109191406.f8JE6cc12197@star.rila.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
[Please don't cross-post] You did not tell us what exactly does not work. DNS should work, and FTP should not as it requires data channel on a separate port. If that's the case, you may run natd(8) with the -punch_fw option. On Wed, Sep 19, 2001 at 05:06:38PM +0300, Vladimir Terziev wrote: > Sorry, but there is a rule number mistake in my previous e-mail with the same > subject. > > I have a gateway machine which runs NATD (natd -unregistered_only -interface > an0) and have IP packet filter IPFW with the following rules: > > > ipfw add 100 allow ip from any to any via lo0 > > ipfw add 10002 skipto 20000 tcp from 192.168.15.2 to any 21 > ipfw add 10003 skipto 20000 tcp from 192.168.15.2 to any 53,6667,6668 > ipfw add 10004 skipto 20000 udp from 192.168.15.2 to any 53,4000 > > ipfw add 11000 deny ip from 192.168.15.0/24 to any > > ipfw add 20000 divert natd ip from any to any via an0 > > ipfw add 30000 allow ip from PUBLIC_IP to any > ipfw add 30000 allow ip from any to PUBLIC_IP > > ipfw add 40001 allow tcp from any 21 to 192.168.15.2 established > ipfw add 40002 allow tcp from any 53,6667,6668 to 192.168.15.2 established > ipfw add 40003 allow udp from any 53,4000 to 192.168.15.2 > > ipfw add 65000 deny ip from any to any > > > The gateway machine is FreeBSD 4.4-RC and has 2 interfaces (internal, and > external - an0). I need only one of machines in the local network to have > connectivity to "the rest of the world". > > I've read all the documentation about ipfw(8), divert(4) and natd(8). > Regarding to it the above rules should provide what I want, but they don't !!! > > Does anybody have an idea why? > > regards, > Vladimir -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919172215.E66974>