From owner-freebsd-net Sun Sep 30 9:55:53 2001 Delivered-To: freebsd-net@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id B24B837B408 for ; Sun, 30 Sep 2001 09:55:44 -0700 (PDT) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.16 #1) id 15njt2-000HCE-00 for freebsd-net@freebsd.org; Sun, 30 Sep 2001 18:56:16 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.16 #1) id 15njt1-000HC0-00; Sun, 30 Sep 2001 18:56:15 +0200 Received: from bvi by shell.devco.net with local (Exim 3.20 #2) id 15njto-000JtH-00; Sun, 30 Sep 2001 18:57:04 +0200 Date: Sun, 30 Sep 2001 18:57:04 +0200 From: Barry Irwin To: Rich Fox Cc: freebsd-net@freebsd.org Subject: Re: Natd Frustration! Message-ID: <20010930185704.Q73094@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rich@f2sys.net on Sun, Sep 30, 2001 at 12:49:56PM -0400 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 66102-1001868976-66218@mx1.dev.itouchnet.net version $Name: $ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun 2001-09-30 (12:49), Rich Fox wrote: > Here is my setup: > > ------------\ /------------------------ > 192.168.1.17 +--> 65.x.x.x/192.168.1.12 -> | @home network > | DHCP | > hub | |Internet > | Static IP | > 192.168.1.15 +--> 216.x.x.x/192.168.1.1 -> | Crosslink/covad/verizon > ------------/ \------------------------ > > Yes, I have two internet connections. They can see each other without > problems. > > The .17 machine's gateway is 192.168.1.12/65.x.x.x > The .15 machine's gateway is 192.168.1.1/216.x.x.x > natd.conf: > interface ed0 > same_ports yes > dynamic yes > use_sockets yes > verbose > redirect_port tcp 192.168.1.17:80 80 > redirect_port udp 192.168.1.17:80 80 > (I don't need udp for this but for the sake of thoroughness...) Why open up a potential hole where you dont need to ? > ipfw add divert 8668 ip from any to any via ed0 > > ipfw add allow all from any to 192.168.1.17 > ipfw add allow all from 192.168.1.17 to any > # deny everything else... > ipfw add 65435 deny log ip from any to any what is showing up in /var/log/security ? If packets are getting denied they should be logged here. Aslo try ipfw zero; try a connect, then ipfw show , this will show you which rules are actually matching packets. > > In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to > [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 what do you get when doing a tcpdump -n -i ed0 -v -v tcp and port 80 and a tcpdump od the same on de0 ? do the packets actually go out over de0, does stuff come back ? in which case it is most likely your ruleset. > (Interestingly I see lots of IP addresses trying to connect to my web > server. I really want to get this aliasing thing fixed so that I can put > up a page that tells these nosy punks to go blow.) none of them will read it, 99% of it is automated scripts. Rather just blackhole the packets. No need to open yourself up. > > Any thoughts? > > Thanks, > Rich. > > > > > | rich fox / F2 > | rich@f2sys.net > | www.f2sys.net > | 5927 Ridge View Drive > | Alexandria, VA 22310-2074 > | t:703.528.9616 > | f:703.528.0599 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message