From owner-freebsd-questions Tue Jun 8 13: 3:47 1999 Delivered-To: freebsd-questions@freebsd.org Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32]) by hub.freebsd.org (Postfix) with ESMTP id 1A0EC15325 for ; Tue, 8 Jun 1999 13:03:43 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Received: from localhost (dwhite@localhost) by resnet.uoregon.edu (8.8.8/8.8.8) with ESMTP id NAA00527; Tue, 8 Jun 1999 13:03:37 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Date: Tue, 8 Jun 1999 13:03:36 -0700 (PDT) From: Doug White To: "Bret A. Ford" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: NATD difficulties In-Reply-To: <199906050722.AAA00378@uop.cs.uop.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG One message is enough, thanks. :-/ On Sat, 5 Jun 1999, Bret A. Ford wrote: > Here's my setup: > > PC1 - 192.168.0.1 > PC2 - 192.168.0.2 On an internal network ... > 2 interfaces in the FreeBSD machine: > FreeBSD LAN NIC vx0 - 192.168.0.3 > FreeBSD DSL NIC ed0 - red.act.ed.ip Are you just hiding that IP or is that the real name? Do not use names in ifconfig statements. > I've got options IPFIREWALL and IPDIVERT in my kernel. > > Critical snippits from rc.conf: > > firewall_enable="YES" # Set to YES to enable firewall functionality > firewall_type="open" # Firewall type (see /etc/rc.firewall) > network_interfaces="lo0 vx0 ed0" # List of network interfaces (lo0 is loopback). > ifconfig_vx0="inet 192.168.0.3 netmask 0xffffff00" > ifconfig_ed0="inet red.act.ed.ip netmask 0xffff0000" > defaultrouter="red.act.ed.254" > gateway_enable="YES" # Set to YES if this host will be a gateway. > natd_program="/sbin/natd" # path to natd, if you want a different one. Hm, on my system it's in /usr/sbin/natd. What FreeBSD release is this? > natd_enable="YES" # Enable natd (if firewall_enable == YES). > natd_interface="ed0" # Public interface or IPaddress to use. > natd_flags="" # Additional flags for natd. You'll want to add some flags to this, see the natd manpage. It's not strictly required but can enhance the performance of natd. > I'm using the open firewall rule in rc.firewall without any changes. > > ipfw list shows the firewall rules looking this way, upon bootup: > > 00100 divert 8668 ip from any to any via ed0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any Standard default. > With that, I get "ping: sendto: Permission denied" when pinging by IP > address, and messages like "ping: cannot resolve ftp.cdrom.com: Host > name lookup failure" when pinging by hostname. This, by the way, is > the result when working directly with the FreeBSD machine. Similarly > no joy with the PCs. natd doesn't appear to be running. Try throwing on the -l option to natd and adding a rule like ipfw add 65530 deny log all from any to any to see what's happening to the packets. You should have an /var/log/alias.log that has natd's activity in it. > Now, by doing a "ipfw add 1 pass all from any to any", I get Internet > connectivity on the FreeBSD machine (name lookup works, everything's fine), but > no Internet for the PCs. Well, yeah, you circumvent natd. Doug White Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve http://gladstone.uoregon.edu/~dwhite | www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message