Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 Oct 2000 01:08:51 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Steve Jorgensen <steve@khoral.com>
Cc:        questions@FreeBSD.ORG, salas@khoral.com
Subject:   Re: ipfw & natd config problems
Message-ID:  <20001003010851.R25121@149.211.6.64.reflexcom.com>
In-Reply-To: <200010021919.NAA09032@khoral.com>; from steve@khoral.com on Mon, Oct 02, 2000 at 01:19:01PM -0600
References:  <200010021919.NAA09032@khoral.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Oct 02, 2000 at 01:19:01PM -0600, Steve Jorgensen wrote:
> 
> 	I'm trying to set up a FreeBSD-4.1.1 box as a
>         firewall for my network.  We're using ipfw and natd.
>         I've got things pretty much working, but I'm having
>         two problems..
> 
>         #1:  I get lots of messages like:
> 
>         natd[163]: failed to write packet back (Permission denied)
> 
>         I can't figure out why this is happening.

It means that a packet is being processed by natd, but then the packet
is denied later in the firewall rules. I can't figure it out either
with no information about your rules and network.

>         #2: Externally, I can get to our webserver using the
>         public address (www.khoral.com).  However, internally,
>         I get connection denied whenever I use www.khoral.com,
>         but the internal hostname works fine.  Natd is redirecting
>         port 80 on the external interface to the internal web
>         server.  Is there anyway to configure this so that the
>         external names for ftp and www work for internal machines?

Yes, there is a way. It is not too pretty. Why does the same question
pop up several times in a few days and then go weeks out of view? 
The short version is that your packets from the inside never reach the
outer interface of the firewall and therefore are never sent to natd.
You can run another instance of natd on the inner interface to do the
redirect. That is kind of overkill. There are more lightweight tools
to redirect TCP connections in /usr/ports/net. You might want to have
a look at those.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001003010851.R25121>