From owner-freebsd-security Tue Nov 7 20:39:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 511ED37B479; Tue, 7 Nov 2000 20:39:02 -0800 (PST) Received: from johnny5 ([64.229.55.24]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001108043852.NMGR20301.tomts7-srv.bellnexxia.net@johnny5>; Tue, 7 Nov 2000 23:38:52 -0500 Message-ID: <000e01c0493d$403d8460$0100000a@johnny5> Reply-To: "John Telford" From: "John Telford" To: , , References: <20001103215005.3885737B479@hub.freebsd.org> Subject: Re: Help with natd redirect address Please ???? Date: Tue, 7 Nov 2000 23:34:58 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the tips, here's what happened: Lukasz Dudek suggested I recompile without the IPFILTER options and I also changed rc.conf so that the NIC's were initialized first. See below for my new settings. This got the redirect working fine at my office on a DSL connection but when I took the box on-site it just wouldn't work with the other ISP's numbers. It's a wireless ISP, but that shouldn't matter according to the ISP. My initial plan was that since we really just wanted our other site on the same ISP to have access to the inside servers and not public traffic I was going to get them setup on a quick (yeah right) redirect then move them to a VPN solution after I gathered some information on it, see my post at net@freebsd.org "Re: Tips, How-To on VPN ?" So I set up a VPN tunnel using pipsec and its working fine. I didn't get to research it as much as I wanted and will have scrounge some test boxes to try it with ipsec but the users are happy they can move files across at 1mbs rather than 56k modems. Regards, John. P.S. to the E man at the Big O the -u didn't help at tempo either, oh well just hope Dave doesn't want to access the Mac server from home anytime soon. Here's my configs that redirect worked with on the DSL: TEMfw3# more rc.conf network_interfaces="auto" # List of network interfaces (or "auto"). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. ifconfig_fxp0="inet 216.208.171.XXX netmask 255.255.255.224" ifconfig_fxp1="inet 10.150.0.241 netmask 255.255.255.0" # named_enable="YES" # Run named, the DNS server (or NO). defaultrouter="216.208.171.XXX" sendmail_enable="NO" gateway_enable="YES" sshd_enable="YES" inetd_enable="YES" ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network and firewall/security options: ### hostname="TEMfw3" # Set this! firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="YES" natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="-f /etc/natd.conf" # TEMfw3# TEMfw3# more natd.conf redirect_address 10.150.0.143 216.208.171.XXX TEMfw3# kernel settings: # options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPDIVERT #divert sockets options IPSTEALTH #support for stealth forwarding options TCPDEBUG # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options "ICMP_BANDLIM" options DUMMYNET options BRIDGE TEMfw3# eot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message