Date: Tue, 2 Dec 2003 14:29:39 +0800 From: Norhisham Khalil <ksham@pd.jaring.my> To: freebsd-small@freebsd.org Subject: problem with natd Message-ID: <1070346579.3fcc3153d949d@webmail.jaring.my>
next in thread | raw e-mail | index | archive | help
Hi all, i sent this msg using pine on 24th nov but when i checked the mailing list, it was not readable. strange i could read it with pine. so i send it again. sorry for the inconvinience. i build picobsd on Freebsd 4.9-RELEASE the crunch.conf based on net with user ppp, natd, ipfw2, sshd and ee the ppp and internet connect is working fine with firewall open. i have problem only when i use my custom firewall script with natd. i build pico with these step below: in kernel conf PICOBSD, i have these options IPFIREWALL options IPDIVERT options IPFW2 i launch ppp with rc.local and used a customed ipfw rules invoked by the rc.firewall script. firewall_enable="YES" firewall_type="/etc/fwrules" rc.local #!/bin/sh #swapon /dev/ad0s1b #plenty space on harddisk, a swap is not a big deal. ppp -auto papchap natd -interface tun0 ns would look like this after the dialup connection Routing table: -------------- Destination Gateway Flags Netif Use default 61.6.142.2 UGSc tun0 20 10.0.0.0/27 link#3 UC ed0 0 10.0.0.5 link#3 UHLW ed0 32 10.0.0.32/27 link#1 UC ep0 0 10.0.0.64/27 link#2 UC ep1 0 61.6.142.2 61.6.142.145 UH tun0 0 127.0.0.1 127.0.0.1 UH lo0 0 it seemed that there are traffic going out but no trafic coming back ipfw -d show 00010 0 0 allow ip from any to any via lo0 00020 0 0 deny ip from 127.0.0.0/8 to 127.0.0.0/8 00100 12 655 divert 8668 ip from any to any via tun0 00200 0 0 check-state 00220 0 0 deny tcp from any to any established 00250 0 0 deny ip from 10.0.0.0/8 to any in via tun0 00251 0 0 deny ip from 192.168.0.0/16 to any in via tun0 00252 0 0 deny ip from 172.16.0.0/12 to any in via tun0 00253 0 0 deny ip from any to 10.0.0.0/8 in via tun0 00254 0 0 deny ip from any to 172.16.0.0/12 in via tun0 00255 0 0 deny ip from any to 192.168.0.0/16 in via tun0 00300 0 0 allow tcp from me to any out via lo0 setup keep-state 00310 0 0 deny tcp from me to any out via lo0 00320 0 0 allow ip from me to any out via lo0 keep-state 00400 0 0 allow tcp from me to any out setup keep-state 00410 0 0 deny tcp from me to any 00420 9 523 allow ip from me to any out keep-state 00510 0 0 allow tcp from 10.0.0.0/24 to any setup keep-state 00520 0 0 deny tcp from 10.0.0.0/24 to any 00530 0 0 allow ip from 10.0.0.0/24 to any out keep-state 00600 0 0 allow tcp from any to me dst-port 22 in setup keep-state 00700 9 523 allow udp from any to 192.228.128.20 dst-port 53 00710 0 0 allow udp from 192.228.128.20 53 to any 00720 0 0 allow udp from any to 132.239.1.6 dst-port 123 00730 0 0 allow udp from 132.239.1.6 123 to any 00740 0 0 reset tcp from any to me dst-port 113 in 00800 0 0 allow icmp from any to any icmptypes 0,3,8,11,12,13,14 00900 3 132 deny ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules (5): 00420 0 0 (1s) STATE udp 10.0.0.1 1030 <-> 192.228.128.20 53 00420 0 0 (4s) STATE udp 10.0.0.1 1031 <-> 192.228.128.20 53 00420 0 0 (9s) STATE udp 10.0.0.1 1032 <-> 192.228.128.20 53 i run the same rules on full blown freebsd 4.9 machine, and it works. here the ipfw -d show on another machine. 00400 25 4704 allow tcp from me to any out setup keep-state 00410 0 0 deny tcp from me to any 00420 40 2946 allow ip from me to any out keep-state ## Dynamic rules (36): 00400 7 3800 (201s) STATE tcp 61.6.117.188 1026 <-> 61.6.32.105 80 see the natd did not get the correct ip for tun0. i think there is something wrong with natd on my pico. Connection without natd (firewall_type=open) works, i think it is only natd, do i miss something? sham khalil ---------------------------------------------------------------- This e-mail has been sent via JARING webmail at http://www.jaring.my
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1070346579.3fcc3153d949d>