From owner-freebsd-small@FreeBSD.ORG Mon Dec 1 22:29:50 2003 Return-Path: Delivered-To: freebsd-small@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 734F816A4CE for ; Mon, 1 Dec 2003 22:29:50 -0800 (PST) Received: from smtp6.jaring.my (smtp6.jaring.my [61.6.32.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F92543FBF for ; Mon, 1 Dec 2003 22:29:48 -0800 (PST) (envelope-from ksham@pd.jaring.my) Received: from webmail2.jaring.my ([61.6.32.100]) by smtp6.jaring.my (8.12.10/8.12.10) with ESMTP id hB26TjSa025898 for ; Tue, 2 Dec 2003 14:29:46 +0800 (MYT) (envelope-from ksham@pd.jaring.my) Received: (from www@localhost) by webmail2.jaring.my (8.12.9p2/8.12.9/Submit) id hB26TekG096352 for freebsd-small@freebsd.org; Tue, 2 Dec 2003 14:29:40 +0800 (MYT) (envelope-from ksham@pd.jaring.my) Received: from bkj-cache84.jaring.my (bkj-cache84.jaring.my [161.142.78.84]) by webmail.jaring.my (IMP) with HTTP for ; Tue, 2 Dec 2003 14:29:39 +0800 Message-ID: <1070346579.3fcc3153d949d@webmail.jaring.my> Date: Tue, 2 Dec 2003 14:29:39 +0800 From: Norhisham Khalil To: freebsd-small@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: JARING Webmail v1.2 (http://www.jaring.my) X-Originating-IP: 161.142.78.84 Subject: problem with natd X-BeenThere: freebsd-small@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Dedicated and Embedded Systems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 06:29:50 -0000 Hi all, i sent this msg using pine on 24th nov but when i checked the mailing list, it was not readable. strange i could read it with pine. so i send it again. sorry for the inconvinience. i build picobsd on Freebsd 4.9-RELEASE the crunch.conf based on net with user ppp, natd, ipfw2, sshd and ee the ppp and internet connect is working fine with firewall open. i have problem only when i use my custom firewall script with natd. i build pico with these step below: in kernel conf PICOBSD, i have these options IPFIREWALL options IPDIVERT options IPFW2 i launch ppp with rc.local and used a customed ipfw rules invoked by the rc.firewall script. firewall_enable="YES" firewall_type="/etc/fwrules" rc.local #!/bin/sh #swapon /dev/ad0s1b #plenty space on harddisk, a swap is not a big deal. ppp -auto papchap natd -interface tun0 ns would look like this after the dialup connection Routing table: -------------- Destination Gateway Flags Netif Use default 61.6.142.2 UGSc tun0 20 10.0.0.0/27 link#3 UC ed0 0 10.0.0.5 link#3 UHLW ed0 32 10.0.0.32/27 link#1 UC ep0 0 10.0.0.64/27 link#2 UC ep1 0 61.6.142.2 61.6.142.145 UH tun0 0 127.0.0.1 127.0.0.1 UH lo0 0 it seemed that there are traffic going out but no trafic coming back ipfw -d show 00010 0 0 allow ip from any to any via lo0 00020 0 0 deny ip from 127.0.0.0/8 to 127.0.0.0/8 00100 12 655 divert 8668 ip from any to any via tun0 00200 0 0 check-state 00220 0 0 deny tcp from any to any established 00250 0 0 deny ip from 10.0.0.0/8 to any in via tun0 00251 0 0 deny ip from 192.168.0.0/16 to any in via tun0 00252 0 0 deny ip from 172.16.0.0/12 to any in via tun0 00253 0 0 deny ip from any to 10.0.0.0/8 in via tun0 00254 0 0 deny ip from any to 172.16.0.0/12 in via tun0 00255 0 0 deny ip from any to 192.168.0.0/16 in via tun0 00300 0 0 allow tcp from me to any out via lo0 setup keep-state 00310 0 0 deny tcp from me to any out via lo0 00320 0 0 allow ip from me to any out via lo0 keep-state 00400 0 0 allow tcp from me to any out setup keep-state 00410 0 0 deny tcp from me to any 00420 9 523 allow ip from me to any out keep-state 00510 0 0 allow tcp from 10.0.0.0/24 to any setup keep-state 00520 0 0 deny tcp from 10.0.0.0/24 to any 00530 0 0 allow ip from 10.0.0.0/24 to any out keep-state 00600 0 0 allow tcp from any to me dst-port 22 in setup keep-state 00700 9 523 allow udp from any to 192.228.128.20 dst-port 53 00710 0 0 allow udp from 192.228.128.20 53 to any 00720 0 0 allow udp from any to 132.239.1.6 dst-port 123 00730 0 0 allow udp from 132.239.1.6 123 to any 00740 0 0 reset tcp from any to me dst-port 113 in 00800 0 0 allow icmp from any to any icmptypes 0,3,8,11,12,13,14 00900 3 132 deny ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules (5): 00420 0 0 (1s) STATE udp 10.0.0.1 1030 <-> 192.228.128.20 53 00420 0 0 (4s) STATE udp 10.0.0.1 1031 <-> 192.228.128.20 53 00420 0 0 (9s) STATE udp 10.0.0.1 1032 <-> 192.228.128.20 53 i run the same rules on full blown freebsd 4.9 machine, and it works. here the ipfw -d show on another machine. 00400 25 4704 allow tcp from me to any out setup keep-state 00410 0 0 deny tcp from me to any 00420 40 2946 allow ip from me to any out keep-state ## Dynamic rules (36): 00400 7 3800 (201s) STATE tcp 61.6.117.188 1026 <-> 61.6.32.105 80 see the natd did not get the correct ip for tun0. i think there is something wrong with natd on my pico. Connection without natd (firewall_type=open) works, i think it is only natd, do i miss something? sham khalil ---------------------------------------------------------------- This e-mail has been sent via JARING webmail at http://www.jaring.my