Date: Sun, 30 Sep 2001 18:57:04 +0200 From: Barry Irwin <bvi@itouchlabs.com> To: Rich Fox <rich@f2sys.net> Cc: freebsd-net@freebsd.org Subject: Re: Natd Frustration! Message-ID: <20010930185704.Q73094@itouchlabs.com> In-Reply-To: <Pine.BSF.4.21.0109301214090.48292-100000@iwishihadaname.crosslink.net>; from rich@f2sys.net on Sun, Sep 30, 2001 at 12:49:56PM -0400 References: <Pine.BSF.4.21.0109301214090.48292-100000@iwishihadaname.crosslink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun 2001-09-30 (12:49), Rich Fox wrote: > Here is my setup: > > ------------\ /------------------------ > 192.168.1.17 +--> 65.x.x.x/192.168.1.12 -> | @home network > | DHCP | > hub | |Internet > | Static IP | > 192.168.1.15 +--> 216.x.x.x/192.168.1.1 -> | Crosslink/covad/verizon > ------------/ \------------------------ > > Yes, I have two internet connections. They can see each other without > problems. > > The .17 machine's gateway is 192.168.1.12/65.x.x.x > The .15 machine's gateway is 192.168.1.1/216.x.x.x > natd.conf: > interface ed0 > same_ports yes > dynamic yes > use_sockets yes > verbose > redirect_port tcp 192.168.1.17:80 80 > redirect_port udp 192.168.1.17:80 80 > (I don't need udp for this but for the sake of thoroughness...) Why open up a potential hole where you dont need to ? > ipfw add divert 8668 ip from any to any via ed0 > > ipfw add allow all from any to 192.168.1.17 > ipfw add allow all from 192.168.1.17 to any > # deny everything else... > ipfw add 65435 deny log ip from any to any what is showing up in /var/log/security ? If packets are getting denied they should be logged here. Aslo try ipfw zero; try a connect, then ipfw show , this will show you which rules are actually matching packets. > > In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to > [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 what do you get when doing a tcpdump -n -i ed0 -v -v tcp and port 80 and a tcpdump od the same on de0 ? do the packets actually go out over de0, does stuff come back ? in which case it is most likely your ruleset. > (Interestingly I see lots of IP addresses trying to connect to my web > server. I really want to get this aliasing thing fixed so that I can put > up a page that tells these nosy punks to go blow.) none of them will read it, 99% of it is automated scripts. Rather just blackhole the packets. No need to open yourself up. > > Any thoughts? > > Thanks, > Rich. > > > > > | rich fox / F2 > | rich@f2sys.net > | www.f2sys.net > | 5927 Ridge View Drive > | Alexandria, VA 22310-2074 > | t:703.528.9616 > | f:703.528.0599 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010930185704.Q73094>