Date: Tue, 25 Jan 2000 20:25:05 +0200 From: Michael Bartlett <cataract@eye2eye.net> To: "'cjclark@home.com'" <cjclark@home.com> Cc: "'questions@freebsd.org'" <questions@FreeBSD.ORG> Subject: RE: FW: internet gateway setup using NATD Message-ID: <F16C1C3F6AB8D311998F00C0DF266AE7E24B@OPTIC>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF6761.83A89410
Content-Type: text/plain;
charset="iso-8859-1"
Crist,
Sorry to bombard you, but I think I'm sort of closer (well actually I've
done this by the book now) and am still having the problem when I telnet
196.31.83.227:25 I get the 196.31.83.226:25 exim hello rather than the
192.168.62.150:25 response.
[eyeland] /etc # ipfw list
01000 allow ip from any to any via lo0
01100 deny ip from 127.0.0.0/8 to 127.0.0.0/8
01500 divert 8668 ip from any to any via rl0
65000 allow ip from any to any
65535 allow ip from any to any
As you can see, I adjusted the IPFIREWALL_DEFAULT_TO_ACCEPT in my kernel.
<snip from rc.conf>
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
</snip>
And finally /etc/natd.conf with most of the comments removed...
log yes
# Incoming connections. Should NEVER be set to "yes" if redirect_port,
# redirect_address, or permanent_link statements are activated in this file!
#
# Setting to yes provides additional anti-crack protection
#
deny_incoming no
use_sockets yes
same_ports yes
verbose no
port 8668
interface rl0
unregistered_only no
#The following mapping points outside address 198.105.232.1 to 192.168.1.56
redirect_address 192.168.62.150 196.31.83.227
Now the interesting thing here is the first comment that deny_incoming
should never be set to yes. So I didn't!
Then they have their example on the redirect_address, and so I adjusted it
to suit my IPs and still nothing!
I'm wondering if this maybe has something to do with it
<snip from natd.cf.sample>
# Obtain interface name from the command output of "ifconfig -a"
#
# alias_address 192.168.0.1
interface rl0
</snip>
And then what you said...
>Are the packets destined for 196.31.83.227 actually crossing the rl0
>interface? They don't get sent to natd if they do not.
I've tried to uncomment that alias_address and put 196.31.83.227 in there,
but the same results. What do you mean by crossing the rl0? And do you have
any other ideas ;)
Cheers
Mike
From: Crist J. Clark [mailto:cjc@cc942873-a.ewndsr1.nj.home.com]
Sent: Monday, January 24, 2000 5:37 PM
To: Michael Bartlett
Cc: 'cjclark@home.com'; 'questions@freebsd.org'
Subject: Re: FW: internet gateway setup using NATD
On Mon, Jan 24, 2000 at 05:10:07PM +0200, Michael Bartlett wrote:
> Crist,
>
> Thanks for your response, maybe you could clear a couple of things up for
me
> here...
> [eyeland] # ipfw list
> 01000 allow ip from any to any via lo0
> 01100 deny ip from 127.0.0.0/8 to 127.0.0.0/8
> 01500 divert 8668 ip from any to any via rl0
> 65000 allow ip from any to any
> 65535 deny ip from any to any
Looks good.
> I was under the impression that the # of the firewall rule is the order in
> which the rule is implemented (01000 will happen before 01100). If this is
> the case, do rules 65000 and 65535 not conflict each other? I cannot for
the
> life of me find what is instigating rule 65535 on my box, nor can I delete
> it :
>
> [eyeland] # ipfw delete 65535
> ipfw: rule 65535: setsockopt(IP_FW_DEL): Invalid argument
See the ipfw(8) manpage,
One rule is always present:
65535 deny all from any to any
This rule is the default policy, i.e., don't allow anything at all.
Your
job in setting up rules is to modify this policy to match your needs.
However, if the kernel option ``IPFIREWALL_DEFAULT_TO_ACCEPT'' is
active,
the rule is instead:
65535 allow all from any to any
This variation lets everything pass through. This option should only
be
activated in particular circumstances, such as if you use the firewall
system as an on-demand denial-of-service filter that is normally wide
open.
> > On one of my other boxes I run this script in /usr/local/etc/rc.d
> >
> > /sbin/natd -n fxp0 -redirect_port tcp 196.38.133.194:110
196.38.133.198:80
> > /sbin/ipfw add divert natd all from any to any via fxp0
>
> I have been previously told that it is "bad practise" to execute stuff
like
> this in rc.d - but that has never been justified properly to me (I was
told
> its not "pure"). Now in the abovementioned example this is my ipfw list:
I could not think of a reason off hand why it is technically
bad once I saw on the next lines how you have the firewall
setup. However, you lose the flexibility of starting natd from rc.conf
and all of the little detail that rc.network handles for you. It is
not good for most people since they typically have more complicated
firewall rules on a natd box. Under those circumstances, you need to
start natd when you start the firewall and you need to get all of your
network setup in order to do many of the other steps of the typical
multi-user startup.
You also miss out on a lot of support since most people don't do it
that way. ;)
> [messenger] # ipfw list
> 00100 divert 8668 ip from any to any via fxp0
> 65535 allow ip from any to any
>
> The difference between the two boxes is that the [messenger] box does not
> act as a gateway whereas the [eyeland] box does. We can see that the
> firewall rules are slightly different but otherwise I can't see anything
> glaringly obvious that is making this thing not work.
messenger looks like it was compiled with IPFIREWALL_DEFAULT_TO_ACCEPT
set in the kernel config.
Anyway, all of that aside, I just noticed something about these,
# /sbin/natd -n rl0 -redirect_port tcp 196.31.83.226:25 196.31.83.227:80
01500 divert 8668 ip from any to any via rl0
Are the packets destined for 196.31.83.227 actually crossing the rl0
interface? They don't get sent to natd if they do not.
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark
> Sent: Sunday, January 23, 2000 5:50 AM
> To: Michael Bartlett
> Cc: 'questions@freebsd.org'
> Subject: Re: FW: internet gateway setup using NATD
>
>
> On Sat, Jan 22, 2000 at 03:05:31PM +0200, Michael Bartlett wrote:
> > Thought I'd throw this @ the list as well...
> >
> > -----Original Message-----
> > From: Michael Bartlett
> > Sent: Saturday, January 22, 2000 2:56 PM
> > To: 'Burke Gallagher'
> > Subject: RE: internet gateway setup using NATD
> >
> >
> > Hey Burke,
> >
> > Sorry to bug you again, but I'm having another problem and it could be
> > related to what you told me to do and could also prove interesting...
> >
> > On one of my other boxes I run this script in /usr/local/etc/rc.d
> >
> > /sbin/natd -n fxp0 -redirect_port tcp 196.38.133.194:110
196.38.133.198:80
> > /sbin/ipfw add divert natd all from any to any via fxp0
> >
> > If you are confused, the reason is that we needed to get around a
firewall
> > problem (one of our consultants other company close 110 access on their
> > firewall - this way he can pickup his mail from us with port 80!! ;) ).
> >
> > Anyway,
> >
> > I tried the identical thing on my box with your settings and take a
> look...
> >
> > [eyeland] # /sbin/natd -n rl0 -redirect_port tcp 196.31.83.226:25
> > 196.31.83.227:80
> > [eyeland] # telnet 196.31.83.227 80
> > Trying 196.31.83.227...
> > telnet: Unable to connect to remote host: Connection refused
> >
> > Now the .227 ip is an alias on rl0, so it should just be passed along
the
> > same NIC and have no problems. I also tried the destination being on rl1
> > (192.168.62.150:25) which is an smtp server on my local network and that
> > didn't work either.
> >
> > Any thoughts?
>
> Yes. First, don't start NATd from /usr/local/etc/rc.d. That is pretty
> much dead last in the startup process and could prevent lotsa stuff
> from being started properly in the ealier steps since the networking
> won't work. It also means that your divert to natd in the firewall is
> the last rule. Most likely, that will mess things up too (especially
> if you have a 'pass ip any to any' before it).
>
> In your second problem, it's really hard to say what is going on. Your
> firewall rules (with the divert) are suspect for the above reasons, so
> I would not be surprised if nothing works. However, even if we assume
> they are now OK, we can't say if there is a problem with natd. If you
> call 196.31.83.226 directly on port 25, do you actually get to talk to
> sendmail (or whatever MTA is supposed to be listening)? natd could be
> working and we would not know it.
> --
> Crist J. Clark cjclark@home.com
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Crist J. Clark cjclark@home.com
------_=_NextPart_001_01BF6761.83A89410
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>RE: FW: internet gateway setup using NATD</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Crist,</FONT>
</P>
<P><FONT SIZE=3D2>Sorry to bombard you, but I think I'm sort of closer =
(well actually I've done this by the book now) and am still having the =
problem when I telnet 196.31.83.227:25 I get the 196.31.83.226:25 exim =
hello rather than the 192.168.62.150:25 response.</FONT></P>
<P><FONT SIZE=3D2>[eyeland] /etc # ipfw list</FONT>
<BR><FONT SIZE=3D2>01000 allow ip from any to any via lo0</FONT>
<BR><FONT SIZE=3D2>01100 deny ip from 127.0.0.0/8 to 127.0.0.0/8</FONT>
<BR><FONT SIZE=3D2>01500 divert 8668 ip from any to any via rl0</FONT>
<BR><FONT SIZE=3D2>65000 allow ip from any to any</FONT>
<BR><FONT SIZE=3D2>65535 allow ip from any to any</FONT>
</P>
<P><FONT SIZE=3D2>As you can see, I adjusted the =
IPFIREWALL_DEFAULT_TO_ACCEPT in my kernel.</FONT>
</P>
<P><FONT SIZE=3D2><snip from rc.conf></FONT>
</P>
<P><FONT SIZE=3D2>natd_enable=3D"YES"</FONT>
<BR><FONT SIZE=3D2>natd_interface=3D"rl0"</FONT>
<BR><FONT SIZE=3D2>natd_flags=3D"-f /etc/natd.conf"</FONT>
</P>
<P><FONT SIZE=3D2></snip></FONT>
</P>
<P><FONT SIZE=3D2>And finally /etc/natd.conf with most of the comments =
removed...</FONT>
</P>
<P><FONT SIZE=3D2>log yes</FONT>
<BR><FONT SIZE=3D2># Incoming connections. Should NEVER be set to =
"yes" if redirect_port,</FONT>
<BR><FONT SIZE=3D2># redirect_address, or permanent_link statements are =
activated in this file!</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># Setting to yes provides additional anti-crack =
protection</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>deny_incoming no</FONT>
<BR><FONT SIZE=3D2>use_sockets yes</FONT>
<BR><FONT SIZE=3D2>same_ports yes</FONT>
<BR><FONT =
SIZE=3D2>verbose =
no</FONT>
<BR><FONT =
SIZE=3D2>port  =
; 8668</FONT>
<BR><FONT SIZE=3D2>interface =
rl0</FONT>
<BR><FONT =
SIZE=3D2>unregistered_only =
no</FONT>
<BR><FONT SIZE=3D2>#The following mapping points outside address =
198.105.232.1 to 192.168.1.56</FONT>
<BR><FONT SIZE=3D2>redirect_address =
192.168.62.150 =
196.31.83.227</FONT>
</P>
<P><FONT SIZE=3D2>Now the interesting thing here is the first comment =
that deny_incoming should never be set to yes. So I didn't!</FONT>
</P>
<P><FONT SIZE=3D2>Then they have their example on the redirect_address, =
and so I adjusted it to suit my IPs and still nothing!</FONT>
</P>
<P><FONT SIZE=3D2>I'm wondering if this maybe has something to do with =
it </FONT>
</P>
<P><FONT SIZE=3D2><snip from natd.cf.sample></FONT>
</P>
<P><FONT SIZE=3D2># Obtain interface name from the command output of =
"ifconfig -a"</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># alias_address 192.168.0.1</FONT>
<BR><FONT SIZE=3D2>interface =
rl0</FONT>
</P>
<P><FONT SIZE=3D2></snip></FONT>
</P>
<P><FONT SIZE=3D2>And then what you said...</FONT>
</P>
<P><FONT SIZE=3D2>>Are the packets destined for 196.31.83.227 =
actually crossing the rl0</FONT>
<BR><FONT SIZE=3D2>>interface? They don't get sent to natd if they =
do not.</FONT>
</P>
<P><FONT SIZE=3D2>I've tried to uncomment that alias_address and put =
196.31.83.227 in there, but the same results. What do you mean by =
crossing the rl0? And do you have any other ideas ;)</FONT></P>
<P><FONT SIZE=3D2>Cheers</FONT>
</P>
<P><FONT SIZE=3D2>Mike</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>From: Crist J. Clark [<A =
HREF=3D"mailto:cjc@cc942873-a.ewndsr1.nj.home.com">mailto:cjc@cc942873-a=
.ewndsr1.nj.home.com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Monday, January 24, 2000 5:37 PM</FONT>
<BR><FONT SIZE=3D2>To: Michael Bartlett</FONT>
<BR><FONT SIZE=3D2>Cc: 'cjclark@home.com'; =
'questions@freebsd.org'</FONT>
<BR><FONT SIZE=3D2>Subject: Re: FW: internet gateway setup using =
NATD</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>On Mon, Jan 24, 2000 at 05:10:07PM +0200, Michael =
Bartlett wrote:</FONT>
<BR><FONT SIZE=3D2>> Crist,</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Thanks for your response, maybe you could clear =
a couple of things up for me</FONT>
<BR><FONT SIZE=3D2>> here...</FONT>
<BR><FONT SIZE=3D2>> [eyeland] # ipfw list</FONT>
<BR><FONT SIZE=3D2>> 01000 allow ip from any to any via lo0</FONT>
<BR><FONT SIZE=3D2>> 01100 deny ip from 127.0.0.0/8 to =
127.0.0.0/8</FONT>
<BR><FONT SIZE=3D2>> 01500 divert 8668 ip from any to any via =
rl0</FONT>
<BR><FONT SIZE=3D2>> 65000 allow ip from any to any</FONT>
<BR><FONT SIZE=3D2>> 65535 deny ip from any to any</FONT>
</P>
<P><FONT SIZE=3D2>Looks good.</FONT>
</P>
<P><FONT SIZE=3D2>> I was under the impression that the # of the =
firewall rule is the order in</FONT>
<BR><FONT SIZE=3D2>> which the rule is implemented (01000 will =
happen before 01100). If this is</FONT>
<BR><FONT SIZE=3D2>> the case, do rules 65000 and 65535 not conflict =
each other? I cannot for the</FONT>
<BR><FONT SIZE=3D2>> life of me find what is instigating rule 65535 =
on my box, nor can I delete</FONT>
<BR><FONT SIZE=3D2>> it :</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> [eyeland] # ipfw delete 65535</FONT>
<BR><FONT SIZE=3D2>> ipfw: rule 65535: setsockopt(IP_FW_DEL): =
Invalid argument</FONT>
</P>
<P><FONT SIZE=3D2>See the ipfw(8) manpage,</FONT>
</P>
<P><FONT SIZE=3D2> One rule is always =
present:</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; =
65535 deny all from any to any</FONT>
</P>
<P><FONT SIZE=3D2> This rule is the default =
policy, i.e., don't allow anything at all. Your</FONT>
<BR><FONT SIZE=3D2> job in setting up rules is =
to modify this policy to match your needs.</FONT>
</P>
<P><FONT SIZE=3D2> However, if the kernel =
option ``IPFIREWALL_DEFAULT_TO_ACCEPT'' is active,</FONT>
<BR><FONT SIZE=3D2> the rule is instead:</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; =
65535 allow all from any to any</FONT>
</P>
<P><FONT SIZE=3D2> This variation lets =
everything pass through. This option should only be</FONT>
<BR><FONT SIZE=3D2> activated in particular =
circumstances, such as if you use the firewall</FONT>
<BR><FONT SIZE=3D2> system as an on-demand =
denial-of-service filter that is normally wide</FONT>
<BR><FONT SIZE=3D2> open.</FONT>
</P>
<P><FONT SIZE=3D2>> > On one of my other boxes I run this script =
in /usr/local/etc/rc.d</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > /sbin/natd -n fxp0 -redirect_port tcp =
196.38.133.194:110 196.38.133.198:80</FONT>
<BR><FONT SIZE=3D2>> > /sbin/ipfw add divert natd all from any to =
any via fxp0</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I have been previously told that it is =
"bad practise" to execute stuff like</FONT>
<BR><FONT SIZE=3D2>> this in rc.d - but that has never been =
justified properly to me (I was told</FONT>
<BR><FONT SIZE=3D2>> its not "pure"). Now in the =
abovementioned example this is my ipfw list:</FONT>
</P>
<P><FONT SIZE=3D2>I could not think of a reason off hand why it is =
technically</FONT>
<BR><FONT SIZE=3D2>bad once I saw on the next lines how you have the =
firewall</FONT>
<BR><FONT SIZE=3D2>setup. However, you lose the flexibility of starting =
natd from rc.conf</FONT>
<BR><FONT SIZE=3D2>and all of the little detail that rc.network handles =
for you. It is</FONT>
<BR><FONT SIZE=3D2>not good for most people since they typically have =
more complicated</FONT>
<BR><FONT SIZE=3D2>firewall rules on a natd box. Under those =
circumstances, you need to</FONT>
<BR><FONT SIZE=3D2>start natd when you start the firewall and you need =
to get all of your</FONT>
<BR><FONT SIZE=3D2>network setup in order to do many of the other steps =
of the typical</FONT>
<BR><FONT SIZE=3D2>multi-user startup.</FONT>
</P>
<P><FONT SIZE=3D2>You also miss out on a lot of support since most =
people don't do it</FONT>
<BR><FONT SIZE=3D2>that way. ;)</FONT>
</P>
<P><FONT SIZE=3D2>> [messenger] # ipfw list</FONT>
<BR><FONT SIZE=3D2>> 00100 divert 8668 ip from any to any via =
fxp0</FONT>
<BR><FONT SIZE=3D2>> 65535 allow ip from any to any</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> The difference between the two boxes is that =
the [messenger] box does not</FONT>
<BR><FONT SIZE=3D2>> act as a gateway whereas the [eyeland] box =
does. We can see that the</FONT>
<BR><FONT SIZE=3D2>> firewall rules are slightly different but =
otherwise I can't see anything</FONT>
<BR><FONT SIZE=3D2>> glaringly obvious that is making this thing not =
work.</FONT>
</P>
<P><FONT SIZE=3D2>messenger looks like it was compiled with =
IPFIREWALL_DEFAULT_TO_ACCEPT</FONT>
<BR><FONT SIZE=3D2>set in the kernel config.</FONT>
</P>
<P><FONT SIZE=3D2>Anyway, all of that aside, I just noticed something =
about these,</FONT>
</P>
<P><FONT SIZE=3D2> # /sbin/natd -n rl0 -redirect_port tcp =
196.31.83.226:25 196.31.83.227:80</FONT>
</P>
<P><FONT SIZE=3D2> 01500 divert 8668 ip from any to any via =
rl0</FONT>
</P>
<P><FONT SIZE=3D2>Are the packets destined for 196.31.83.227 actually =
crossing the rl0</FONT>
<BR><FONT SIZE=3D2>interface? They don't get sent to natd if they do =
not.</FONT>
</P>
<P><FONT SIZE=3D2>> -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>> From: =
owner-freebsd-questions@FreeBSD.ORG</FONT>
<BR><FONT SIZE=3D2>> [<A =
HREF=3D"mailto:owner-freebsd-questions@FreeBSD.ORG">mailto:owner-freebsd=
-questions@FreeBSD.ORG</A>]On Behalf Of Crist J. Clark</FONT>
<BR><FONT SIZE=3D2>> Sent: Sunday, January 23, 2000 5:50 AM</FONT>
<BR><FONT SIZE=3D2>> To: Michael Bartlett</FONT>
<BR><FONT SIZE=3D2>> Cc: 'questions@freebsd.org'</FONT>
<BR><FONT SIZE=3D2>> Subject: Re: FW: internet gateway setup using =
NATD</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> On Sat, Jan 22, 2000 at 03:05:31PM +0200, =
Michael Bartlett wrote:</FONT>
<BR><FONT SIZE=3D2>> > Thought I'd throw this @ the list as =
well...</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>> > From: Michael Bartlett </FONT>
<BR><FONT SIZE=3D2>> > Sent: Saturday, January 22, 2000 2:56 =
PM</FONT>
<BR><FONT SIZE=3D2>> > To: 'Burke Gallagher'</FONT>
<BR><FONT SIZE=3D2>> > Subject: RE: internet gateway setup using =
NATD</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > Hey Burke,</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > Sorry to bug you again, but I'm having =
another problem and it could be</FONT>
<BR><FONT SIZE=3D2>> > related to what you told me to do and =
could also prove interesting...</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > On one of my other boxes I run this script =
in /usr/local/etc/rc.d</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > /sbin/natd -n fxp0 -redirect_port tcp =
196.38.133.194:110 196.38.133.198:80</FONT>
<BR><FONT SIZE=3D2>> > /sbin/ipfw add divert natd all from any to =
any via fxp0</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > If you are confused, the reason is that we =
needed to get around a firewall</FONT>
<BR><FONT SIZE=3D2>> > problem (one of our consultants other =
company close 110 access on their</FONT>
<BR><FONT SIZE=3D2>> > firewall - this way he can pickup his mail =
from us with port 80!! ;) ).</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > Anyway,</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > I tried the identical thing on my box with =
your settings and take a</FONT>
<BR><FONT SIZE=3D2>> look...</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > [eyeland] # /sbin/natd -n rl0 =
-redirect_port tcp 196.31.83.226:25</FONT>
<BR><FONT SIZE=3D2>> > 196.31.83.227:80</FONT>
<BR><FONT SIZE=3D2>> > [eyeland] # telnet 196.31.83.227 80</FONT>
<BR><FONT SIZE=3D2>> > Trying 196.31.83.227...</FONT>
<BR><FONT SIZE=3D2>> > telnet: Unable to connect to remote host: =
Connection refused</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > Now the .227 ip is an alias on rl0, so it =
should just be passed along the</FONT>
<BR><FONT SIZE=3D2>> > same NIC and have no problems. I also =
tried the destination being on rl1</FONT>
<BR><FONT SIZE=3D2>> > (192.168.62.150:25) which is an smtp =
server on my local network and that</FONT>
<BR><FONT SIZE=3D2>> > didn't work either.</FONT>
<BR><FONT SIZE=3D2>> > </FONT>
<BR><FONT SIZE=3D2>> > Any thoughts?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Yes. First, don't start NATd from =
/usr/local/etc/rc.d. That is pretty</FONT>
<BR><FONT SIZE=3D2>> much dead last in the startup process and could =
prevent lotsa stuff</FONT>
<BR><FONT SIZE=3D2>> from being started properly in the ealier steps =
since the networking</FONT>
<BR><FONT SIZE=3D2>> won't work. It also means that your divert to =
natd in the firewall is</FONT>
<BR><FONT SIZE=3D2>> the last rule. Most likely, that will mess =
things up too (especially</FONT>
<BR><FONT SIZE=3D2>> if you have a 'pass ip any to any' before =
it).</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> In your second problem, it's really hard to say =
what is going on. Your</FONT>
<BR><FONT SIZE=3D2>> firewall rules (with the divert) are suspect =
for the above reasons, so</FONT>
<BR><FONT SIZE=3D2>> I would not be surprised if nothing works. =
However, even if we assume</FONT>
<BR><FONT SIZE=3D2>> they are now OK, we can't say if there is a =
problem with natd. If you</FONT>
<BR><FONT SIZE=3D2>> call 196.31.83.226 directly on port 25, do you =
actually get to talk to</FONT>
<BR><FONT SIZE=3D2>> sendmail (or whatever MTA is supposed to be =
listening)? natd could be</FONT>
<BR><FONT SIZE=3D2>> working and we would not know it.</FONT>
<BR><FONT SIZE=3D2>> -- </FONT>
<BR><FONT SIZE=3D2>> Crist J. =
Clark &=
nbsp; &=
nbsp; cjclark@home.com</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> To Unsubscribe: send mail to =
majordomo@FreeBSD.org</FONT>
<BR><FONT SIZE=3D2>> with "unsubscribe freebsd-questions" =
in the body of the message</FONT>
</P>
<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Crist J. =
Clark &=
nbsp; &=
nbsp; cjclark@home.com</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF6761.83A89410--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F16C1C3F6AB8D311998F00C0DF266AE7E24B>