Date: Tue, 8 Dec 1998 08:16:08 -0700 (MST) From: wildcardus freakis <wildcard@dax.belen.k12.nm.us> To: Mark Mayo <mark@vmunix.com> Cc: questions@FreeBSD.ORG Subject: Re: NATD + firewall - I'm stumped.. Message-ID: <Pine.BSF.3.96.981208080110.10172A-101000@dax.belen.k12.nm.us> In-Reply-To: <19981208030926.A25214@vmunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-1238522451-913130168=:11752
Content-Type: TEXT/PLAIN; charset=US-ASCII
Ok I have had alot of experience with NAT and I remember that there are a
couple of things that helped me a whole lot, ( I even called one of the
origional programmers...once you know these things nat is so cake to set
up....the first thing is...
Get rid of the second card...I must have burnt up three weekends trying to
get it to work with the duel card deal...once I removed the second card
everything was cake...and a duel card is not really needed...all class B
addresses must have a AT device to work.
Also for some reason the magic port for NAT is 50000
Also from the nat machine you cannot telnet directly to inside machines,
if you want to, you either have to set up a internal DNS name (i.e. in-dax
v.s. dax) or go by IP, this is from the NAT machine only...you can telnet
from outside to inside machines regularly once you have the alias in place
and from inside to inside machines normally.
also you need some alias options in natd.conf
I have included my conf files...so please contact me if you need any
clarifications.
Sasha
On Tue, 8 Dec 1998, Mark Mayo wrote:
> Hi all. I've been trying to get what I thought would be a trivial
> gateway to the net setup. I have a very simple setup - a P133 with
> two interface: ed1 and de0
>
> ed1 is plugged into my cable modem with a static IP - 24.112.137.146
> de0 is plugged into my hub on the internal network - 192.168.4.1
>
> Naturally, I want my internal machines on the 192.168.4.1/24 network
> to be able to use the FreeBSD box as their NAT gateway. This is a
> 3.0-RELEASE box, with IPDIVERT, IPFIREWALL kernel options. GATEWAY=YES
>
> Using a very simple ruleset like:
>
> /sbin/ipfw add divert natd all from any to any via ed1
> /sbin/ipfw add 100 pass all from any to any via lo0
> /sbin/ipfw add 200 deny all from any to 127.0.0.0/8
> /sbin/ipfw add 65000 pass all from any to any
>
> Accompanied by "natd -n ed1" works nicely, and the NAT functions.
> The actual NAT box can get to both networks fine, and the internal
> machines also get access as expected. Naturally, I'd like to give
> a little more protection to the "router" box, but as soon as I try
> to do anything without the "add 65000 pass all from any to any" rule
> NAT just doesn't seem to want to go. Obviously, I'm doing something wrong
> and missing some key fundamental here, but no matter how many ways I
> play with the rules it beats me everytime. Using the ruleset below, which
> makes sense at least in my mind, I can get to the point where the router
> is open on the inside, and from the actual router I can make connections
> to the outsid world just fine, and incoming connections are rejected.
> In short everything is just how I'd like and expect it to be,
> with the one notable exception that packets simply aren't getting
> through the NAT part so my internal machines can't get to the internet.
> the "65534 deny all from any to any" ruleset is killing the packets..
>
> I'm stumped. What do I need to get this thing running correctly? :-)
>
> TIA to anyone that can lift my ignorance..
>
> -Mark
>
> #---------------------------------------------------------------------
> # Firewall by Mark...
> # summary: allow all traffic on the inside net, block nearly all
> # incoming traffic on the outside interface (internet), do NAT for
> # internal machine to access internet
> #
> # inside interface: de0
> # outside interfance: ed1
>
> # outside and inside IPs
> oip="24.112.137.146"
> iip="192.168.4.1"
>
> /sbin/ipfw -f flush
>
> # Allow NAT to examine packets first
> /sbin/ipfw add divert natd all from any to any via ed1
>
> # Setup loopback interface + interior interface
> /sbin/ipfw add 100 pass all from any to any via lo0
> /sbin/ipfw add 200 deny all from any to 127.0.0.0/8
>
> # Stop RFC1918 nets on the outside interface
> /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ed1
> /sbin/ipfw add deny all from any to 192.168.0.0:255.255.0.0 via ed1
> /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ed1
> /sbin/ipfw add deny all from any to 172.16.0.0:255.240.0.0 via ed1
> /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ed1
> /sbin/ipfw add deny all from any to 10.0.0.0:255.0.0.0 via ed1
>
> # Allow all traffic to pass - i.e. open the door!
> #/sbin/ipfw add 65000 pass all from any to any
>
> # Allow established connections through (i.e. setup from the inside)
> # TCP goes through if setup succeeded
> /sbin/ipfw add pass all from any to any out xmit ed1
> /sbin/ipfw add pass tcp from any to any established
>
> # Allow traffic on my own net
> /sbin/ipfw add pass all from 192.168.4.0/24 to ${iip}
> /sbin/ipfw add pass all from ${iip} to 192.168.4.0/24
>
> # Allow access to my SSH port for remote access
> /sbin/ipfw add pass tcp from any to ${oip} 22 setup
>
> # Reset connections on the ident ports to prevent timeouts
> /sbin/ipfw add reset tcp from any to ${oip} 113
>
> # Reject & Log all setup of incoming connections from the outside
> #/sbin/ipfw add deny log tcp from any to any in via ed1 setup
> #/sbin/ipfw add deny log tcp from any to any in recv ed1 setup
> /sbin/ipfw add deny log tcp from any to ${oip} setup
>
> # Allow DNS queries out into the world
> /sbin/ipfw add pass udp from any 53 to ${oip}
> /sbin/ipfw add pass udp from ${oip} to any 53
>
>
> # Everything else is denied by default
>
>
> --
> ------------------------------------------------------------------------
> Mark Mayo mark@vmunix.com
> RingZero Comp. http://www.vmunix.com/mark
> ------------------------------------------------------------------------
> "The Church says the earth is flat. But I know it's round, for I have
> seen the shadow on the moon. And I have more faith in a shadow than
> in the Church." - Ferdinand Magellan
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
--0-1238522451-913130168=:11752
Content-Type: APPLICATION/octet-stream; name="natdconf.tar"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.3.96.981208081608.11752A@dax.belen.k12.nm.us>
Content-Description:
H4sIAKtAbTYAA+08a3PbRpL5Kv6KCa2KrZQIEnxIsq70QbblWtXZkkpy1sld
XTFDYECOBWJgDECK8fq/X/c88CJIyus4e1tnpByTmOnH9PT0a5pOPCfgCVvS
MPzhWz1ur3c0HJIfCHGPR73y3/i4o/5gSMjR0WDQHxwf947g1cAdHP9Aet+M
o9KTyZQmhPyw5KHv0cTfNG/X+L/p8yR/Wk/IHUuzmMiVTNmcBCIhVjWIZMmC
e8yBSfuX/ilJCrU5XBDXOXL6zoi4z58fd91et++SXu+03zsdjMiH+xm5eIjJ
fqv15EmF2isW8IiRdMYKOukqZoRHpMtSrwtEPBEFDiF/pyH3yYKGGZOEJuwU
wAkRMYuUCnUI7E5IAIFYEhqtRIRI1Bwv5CxKizlpsiKpIHEiUual5ANsP3DA
JZlTbwbsKCDJ53HINgJRspwJGI9YuhTJvaEjJPMVSCpS4GRFfC7pJASGL2+s
/CRhDx6LU7LglISiB1ymLAmop+n+cvWfV9fvrxBJDoziCQX1eTQlIigklWQw
6iiwgIcsonNm2cXpCk7NQXHilylfgLjyuc+CDKbGNJ2RhH3MAK1/0MJteQ37
/vvvWm5Pn4I4ffiqJQJfERMMJBwQTxjKW85EFvrwhXggTDHnf4AcAA+NQV5x
wmnKwpVT332YcBmQlciIL6KnKbmPABWLRDadEToRWQqsefcsRYZBRLD6Q7Jk
RGbTKVNbRlOEBjQpvQcl4rAk2KKEqaXDfk6EuD9FOnsvMji6KL5LFDZsGnlt
hChxNEH9eDmj8ZxGarUXIf+DThgI5r+W3LtfKSTXT28Zx139iZxLKTxcljwE
lB4MXt69uCJuZ3Q0et7vuP1hpwcvZ2kan3a7y+XSEQkFTZ53c/lSMhcJI9Rf
0MgDcaXAdzpHRmCLczbvmJclPF2pVem15JwDH2vzYDxhMQtDXCxuFGjDisxQ
jgmMvQf+OZ2TWweWyySu7ZDcpQzV4q1DXjA8PnhsYO65Dwooos57JkO2skvs
dfo9twOG+rgzrK6QLkO7whYPyH+T9sO+2yY/nsGHNvmf/0B2otae1d4xnvOz
fbcV8JpigIAAHnQn5B4egENQ4ohENPWdHHGOBV+3CdL47eKuRIZ5M0Had2DY
UxSFgnacdmuvm8mkKyc86uI70glIFdkY7Q2f4iEhP2nm0CgSOB/w/7nwGXKH
5wWUkPnrHKmJTSwFS2/un7U1cR4HS9L52G6xULKGsbYh/TrM5IzgYVBWgIPi
T1iAmgNHYcKmPHJa+woalxLg7DUra06ZMnR6dRkcdaJYMJbhHtUIzCeYVjhD
IsSDJEW4KFs4OMuwG3NJQHtzfEsKGguT0Vgp2ysFHMMYxe5lIbjVex75EnU6
TWgQcA+P64ytFAZlqiwGb0ajqfYFPgtoFsL5F6ACyu6inQcn8BsAeXhGQykA
kS/0QQe2AV1CRATKTr2Ui4hMVmBx09Seg4raIcbff0ecT5+iWSJGgtT3ydGo
1+vBAqREZ0KCRMzRnyAI/LUm22skCUJMwCUBaxJsInClFre2LmnMcatEzt1G
zfqIKoDbAwHBYA7g9o+dHv7XPUHA0tcWLu4GfJZQy5bo3KU9RfufKkL5rHQW
hdImHbFh+Prm4qpQ6dbeFwiOhVvIal9Twow+vSJq9YK8w+3GHVeeuLQq7Q6U
QlkfrVTCRDKolUucQaeURzI16GIm0MsrXuGMSQ6nW2vSMrKa76zzYqCBsNnW
VGgwA6J8CHyeU6k/81iBwKuztvu877hHJ7hBbfUWZ521+6ORg3/y1zwu5rqO
27ZUz22IY0+UOh+JXsR8ZVnXbJf2p7oz+594/Bkh9z/B5M+n+5+Qjc+7gMpz
NTSgqXL27uUNSCVRbhx2XO+OzDyPMR/sZROB1IvXVB+sKxh/LmcAU8GvEYJB
4RG4GzzfbE55SB6FWS+7P9JYNiAGTZgKRIxLAYMZMWVSpLIv28nkYkV6FRqv
cgNpyaBYBehPUqdTJ6FOe5OMGhbx6uoOXBVTwRl6DWPfQSvDZtlnfgnvaFBs
6tbJlXWOBlUert7dfAUPbv+fYgLALBcXC5aswDGgaoB3RXsBIuTg8qi0vsXZ
YZB0tPs1BilQQZ7JIywF8GEvrQeuJB3E4FMeGKNzXyUMoBzKlqSx+Xqovseg
nqlSIBSsQYH6qb6DgQNDZhFWkxvFVjqDTCVPSL7EwFkjmSctu0ye4MFZO3iI
jVETygT2e5Aswh+371prJ6pWUFlCM4KGsAwx7Lc3M6jX/nj+eJU/3myi+SYb
vWak8a1h7m8Qwq5U5ElkzDyOplqmWRCcngP9N+dXr0xmI9WL3KfjSS9bHYjH
YGH5JivVX4oJBhpg+CIMYPaUGkIIQlEXE6Z0xVd7jWjxJCiJRDSEVPRpJQLp
DXsmoAjFtBRU5KvqH5fDETh0PPhcQTDagWAw2IHgaAeCkduA4MlfLuYKy0fD
guV1LyPQMsGyejWgUQFUMXpbgY52UnKHA1IDOt5JCYAqMMflXdhAqEdqIO5O
MtXVnDQS6feGDux0f+j0SpD92qKeN6pJAesOapoqaoqmgu1q7Gyhjx3X3QW8
FniXgHu7gPtNvNdCfQ0HpknEWielTJIqmsE/gyZcQzPs1aIKI/JC+CVEMCkI
6RTYWUVVNKOmzdyGqgp+1AQOjtwp/XkMnmPAw8E5ptoM7JBLFfZkR/rVCPR8
W6KjzdJdKsBnx0IEYH31u3pIVw7GTWDN88gaMULgVFKnXTiEwSGacSijWWbu
9vVL97l7gl4xDx3W/HtrI8GSkzwtOcbt56CG4hhRFBiGvS/G0NOp7qmh3gj9
JenJt0lNdqclYnNeQoE3hIEsDxwUBPiPRQfR/E5079+/fyw6OCkVdLfsA/jO
n94YS7S++LJ3VfhKGra2pU1OZ+0MWAaapY7TmxKqR23ql+ZSj8qjUG6bZxaG
8ouzqMdlUF9C/s/Mn7Dmay4y2qRDSSdpmpUXRg2H9RlYAf1X3439f3hUbRzr
wt+Qxvb7XzKEwKa4/3XhswsGvff9/veveLCMbYsSVNXO1eUHJo/60kXf1YGd
n6pquiDdBU26YLDhPfx/by8S+javwfAjNNr3sfUK+exfsAQh8IJPOSO6EBwL
GxDEeSEF36pAM8nGZtLeikkFeF6aqWrrEh15LKTkk5A55C29h1cJcAYm09xd
wKe5wOsPrNAjYknnbIw4Crx/Z8kE6yJ4x+OQi0hfvvrZPDYXr/o6Uqrygb2c
BTgQ1L0RzARmTCG2iJTUFhphvuJXOkZFqg55SSO8MNXFnvy+O78kRuFnc7D+
nr7zRnwIuLeHZfbenhF4XuVAJFhw8v0EvfuEIUc05LBeHxbDlVuECPEQwCKR
kgk4Sl0r0Be/apc1wNgg2SsVNupjpFqQaeXx4h7WUvQ24XySRQmbcgmjzLfc
6eVhzJC/UHtdmjrGUmu+M7fMBx69lLCHvIiB4i7VNFqtJ4mZlfOY899z+hWG
3cGW2X2IZHvV6b3nrc3I67h763Or42XQHXP7xVwQ8zYucLgGuwP3oAQMAho2
zK9NqMtwO/5hDn5y4hxtRo6jNcgdmEc1xtxdnLs1+K1yfN7fq8xuYL06vlcB
3o57UMV9vAP3cRV4O+5hFffJDtwnFb6H6qqwqE3HLJnTCNsRQh7dS8deIoNB
JjO0pGhxsLEEziv1ARTj7/x4g7Fhh2jepK5zUz3flrTRKEvy4uL19e0F2iNM
2sEWQRTf0cVq/CIz1UKDxgrjXrTcDrkThGlbBowgqLGRFcuC/ElNFW9lrW1V
r7Wde0urtT/jt7DBB93KAE0sfktZiN0V6D1W4zjhC5qyMeJxlFWas/kEWEHv
pUJ2xWeONu9gyht28NoaIHPZjlG2e3uYjtTwnxrKNr3taZ62Ma9iesXbw+oP
7MSoLEcVt/DuPV8RjVSuZJfTxFR5iuWoTMGw5X4P0/+dH9Nj901p7Oj/PDoe
HRXx/6CP8X//+Hv8/5c8T37sYteRnLVU75W90TRqASaZmoQAuwXBzIPlhY8Q
libc9ifqTjzVmoNXcmhnGht6UNBYrJmwGV1wMNUiKLdpOCZwBEuZTDNshpNk
nqmWJ7RYvsiAHlp4CQYPPn3MRKpjxyd7ticVeVb9qC5Gcsd5Q6p7Qlywo8en
/aNNDalf/iA4uZyjlcVuHx7xlEM4+kKItKP6EW0FnmwE/xrqLbmkMe7NWfvq
ur23pzvVQPQ6HQiIHVcNddlD8d1nUkf9NJ6PmUp16jh+u7hDsLyV6fzmLdEz
ASz28CBUIDcCoirkccXNy5fnt6+Avrl6NojAk561X128Pv/lzTtEBdFGlQQg
PcxjAxwgACKSlfX8OSYeaGI5U3gnCLkLtqTqKYShU0Nf5lWy3megWFfXBw7k
tB4Nx0ZXz9qqY1C9sw7dJ+rdr657e5S/Q2JWv6WX8DiFJDEBxv4UJSNX5h67
yrPMJh1pwo1mHft6JUPyL6iEKMvepRutPkWKLQwIUN/O2rj6KUQwzoSFLHLu
3b4TzZ1M5roB2/djK+JS36hqoKrSXV3emftWVKEMz7l6l+9NXiK0qoc9ljWt
hb/0aNEqHWSREhIoQrpqVXtQba8HYrHNtboL/ZlkbC2KO2hVWz2bzg12T2Zx
rIJubPnDckEc0hJljHk3MY/trna7z0G9HfIuoZEM1Za3NnWrgqIip3k1r02w
ZuNpPQFboKJsPV3Zc6cFId4YM+pI4m4W3Oj6M14PgTsmP6lP6L2LucV+GJUY
5wUAwMPiHsEyALYuAhdvsGkVGTBLKqaSZ6oBXsJEEWPt5AB7EzWPY8Rw1saL
sVqxgeR9HLVukSc5LKA1oLYZ0kUltG7IkjNmqHqmaiyMVd2jiRPI5JsZIU8U
jGqLpQ9N6FzLXVFhWcPVU5jsdUkDkn4TT/3tPJ2ev797e/nqb9d375pQDppQ
DnYvE7ywbMI3bMI33I2PeimmimgH0uq2VrfD7m5/VCDtPQTmwRNwR1X/lcaM
v1owv0PID5hPwY+A8Z9z6bEwhBRIZPIAtP7q9V3V0EGMEoqpv2Z5buG46rEc
mT0dFkRdn5+1tYlRV+loIfQgeQaWzjhW1H9YRzMNDKSiKtfarKQeJsQ5UY2h
IAng17E2fiSwxNUkOL7YadZITY0cKqJ4D2Yy9+LcK0BDpDMhxvbAy4n+y5lA
EIQ7kK9Xd7VVV3vPEsighRxr/LWAAvmgxM7BRlmwHGusJMuZ8OtBjBUYDq5t
C53X5ltac992xZElT2dkH2dqmVWA7bop6aIadjziYmNLB4zb4OSIdCA6WTnG
j3VCqx2qAqElBUicOY3brSiQY938XF+BisMVBLZ2RUofzU+Zil0ooC1LERlW
1QzmcFGXOwI2iHwD2bXNL6At2Yx0UqRcJVwnOxdZVOhmJ6lyqkcVSIlqlWnb
26Zq96pKbJXlJhELbF1Q5xa78jE8wp/FMF0FKfQl9sCSePeNOoPQMMFRE8iz
nyeJuGfRjz8fYDxSrFtjgYBnw1m1aNSMKmjBCLIFSrDxsJvx2Og8auUabKNl
MYM14aP33nhOfu2AO4vFEmiBsU0TEYbwUR8cC1oxKTkxNVYjVbGw7zARussv
NsomFXOkjSypBKp+dDWEVSA4epEKcsLxm/Mr4Dxh4/xSAL9VFFLB1g9CGvtY
dNtocPW4tteRp5kqDoKBNvx4qDVOGEahMxWL2jE0iGp7gq+bBKAGqiJUv+Pw
RFiQ19AbtkUhqFJLuXdP/Q/Ni9VjZUnryVbW5x+rC8oBajufM30ZBSKZ6/gz
3/5nEM0fVJUAEoINJvA9e4o/kYtUCrBm+3jd9lX5W8UTvqaYCLSKJVsjhSJQ
A9gwja6rvtM54AZiCLpOq9nGVta1Zlx53biuk0oWjet6CJJGZUJLpEe3rk6B
N9IsIWiii30lS79eDigom/GtxC2OLfQtmi22JoF4Wd3WlhXMhP04xpJqL7lb
Tr9seoA57JKuSmEcWHHujRUCy5uB0UOKrvl5HkKFjC4YYfM4XQG4wbctZYUV
pbnjVb9iUnfDBhK8jeJ9S6WmyHlpLgRrve3C1d++thNXpkJUnYto8IanEHBO
2pqBshXAFoE6sbmmUmf1Fbh3kC33IIbLYYr82kCpxBVD2PihLrRtS768+dXi
VLDNLKwn2WjgS7D5GgoU69qIa26CoQn+2PlhBQlKaI2xmEgRsjT/eaXWSnJ+
ezO+ub3+9bfx+Zs3BC/gF39WlehO/9wNxIiUd5Qf6+BfQx0i+RWEHLmw9Vd1
96Z+cDujCetCHIycdfWg7P5cHDF4Bek3K8NPBBbrEu19TwmE0MtDEqFLCQ9J
QGVagZ4wlLuBxi/qRNucPuaQJKmmCgWPnxYcbxgrOHTFOsdii0bITN74Zv8J
ghwOIkwpkhxIf9X1o0+a2j8meKX2D5/JNMkA44J9LtkWL4nKgoPvjEVks/AM
QEV6AYRsJw/uUcE6vCD4Rl8LNqDBGU04hms4hl+K46SO4uTxGCaQgd+jfyj2
Et8Yl8FVSC8iHzJ0gMApKhTJkohwLDIFIFAwvUldnOqlrXqfapzdKQ51ZUTv
gaGUJt2ra5WiSDj4ujJo69r4G6uIxHSq26LMNcOz0YH+ldeC8lAZIvOLY5mj
wUj8rN312aLrZZT2VElC2yF176GmmfzEtuKg9VXv7Y/JDnJ0ZXN0HqniN69n
9nrqn2VQ3pbLIkBvzsFdp3iqFtvNy1cbFC8RUdVlljIjlkBOC373g5jkFjhs
jqT17+YjAEpUalCZ3xhthGuBs4QUBzu5N/Fjx9cLQBYwr5T4pPPRnaMe4Gdw
+XECSrNCBYP8QGB9ClvOQGMK36mrlOpSBy9TEipnOAe/VPn0Zsy7H+O1GJVW
e1/iO6LflaoYnofZNihrfU3v8DDBGsCbqUbxYmapxDTxZL8W7l3iO/Ls7uX1
AUQ+ma5Wq3+IhKnIz96NFNcsPMoeakje4LvHgScgsDFPPsrCwac8yf91EhGv
4FxhtsSmp6Q9Iq7bJhb2zzgaukqu7oVqlzICbE2CpQiqW1ewnZpgkoxtMeTr
j4Zqu+4E1X8hRzOS91Q7DaPqn5T4V982f3++P9+f78/35//K87+MtjnSAFAA
AA==
--0-1238522451-913130168=:11752--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981208080110.10172A-101000>