From owner-freebsd-questions  Tue Jan  9 12:56:25 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from ra.upan.org (upan.org [204.107.76.19])
	by hub.freebsd.org (Postfix) with ESMTP id 3F60237B402
	for <freebsd-questions@FreeBSD.ORG>; Tue,  9 Jan 2001 12:56:04 -0800 (PST)
Received: from ocsinternet.com (localhost.upan.org [127.0.0.1])
	by ra.upan.org (8.11.1/8.11.1) with ESMTP id f09Fu4109124
	for <freebsd-questions@FreeBSD.ORG>; Tue, 9 Jan 2001 15:56:04 GMT
	(envelope-from mikel@ocsinternet.com)
Message-ID: <3A5B3493.D2E0D3B3@ocsinternet.com>
Date: Tue, 09 Jan 2001 15:56:04 +0000
From: Mikel King <mikel@ocsinternet.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject: more re: stupid NATD tricks...
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Greetings all;

    Ok I'm running this question again, because I've already read and
reread everything I can find on the subject. I am trying to get static
NAT working. NATD is working normally, my inside machines can traceroute
and surf and nslookup etc...I know there must be something stupid I've
overlooked

    From the outside I've tried simply telneting to the ouside IP on
port 80 from another outside device (...NOTE this works fine from the FW
directly to the inside machine...so I can verify that the http requests
are being answered) and I get the following:

        Trying 204.107.76.181...
        telnet: connect to address 204.107.76.181: Connection refused
        telnet: Unable to connect to remote host

    If I remove the redirect_port and put redirect_address 10.0.0.77
208.239.172.50 instead then I get the following;

         telnet 208.239.172.50 80
        Trying 208.239.172.50...
        telnet: connect to address 208.239.172.50: Operation timed out
        telnet: Unable to connect to remote host

    Remember 10.0.0.77 surfs out through this box fine, and other
workstations on the backnet and surf to 10.0.0.77 without a problem.

    Thank in advance for any help.

Cheers,
Mikel

***************** CONFIGURATION FILES etc...

cli:
/sbin/natd -f /etc/rc.natd

rc.natd:
interface fxp0
use_sockets
same_ports
unregistered_only                               #I've  tried it with and
with out this one...
redirect_port tcp 10.0.0.77:80 80    #This should redirect any HTTP
request from the outside to the in...
redirect_port tcp 10.0.0.2:23 23
log

 #other rules that i've tried...
#redirect_port tcp 10.0.0.77:80 208.239.172.50:80
#redirect_address 10.0.0.77 208.239.172.50

rc.firewall:
############
# Setup system for firewall service.
# $FreeBSD: src/etc/rc.firewall,v 1.30 2000/02/06 19:24:37 paul Exp $

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
 . /etc/defaults/rc.conf
elif [ -r /etc/rc.conf ]; then
 . /etc/rc.conf
fi

fwcmd="/sbin/ipfw"
nif="fxp0"
iif="rl0"
${fwcmd} -f flush
${fwcmd} add divert natd all from any to any via ${nif}
${fwcmd} add pass ip from any to any
${fwcmd} add deny log all from any to any

ipfw show:
00100 15537 1416950 divert 8668 ip from any to any via fxp0
00200 16707 1550670 allow ip from any to any
00300     0       0 deny log logamount 100 ip from any to any
65535     0       0 deny ip from any to any

kernel conf:
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPDIVERT
options         ICMP_BANDLIM

ps ax (excert):
  140  ??  Ss     0:00.25 syslogd -s
  161  ??  Ss     0:00.28 cron
  164  ??  Is     0:00.54 /usr/sbin/sshd
  166  ??  Ss     0:00.13 /usr/sbin/usbd
  204  ??  Is     0:00.01 /usr/local/sbin/xinetd -pid
  237  ??  Ss     0:01.26 /sbin/natd -f /etc/rc.natd

netstat -rn:
Routing tables
Internet:
Destination        Gateway            Flags     Refs     Use     Netif
Expire
default            204.107.76.1       UGSc        0        0     fxp0
10/24              link#2             UC          0        0      rl0 =>

10.0.0.77          link#2             UHLW        1        8      rl0 =>

127.0.0.1          127.0.0.1          UH          0        4      lo0
204.107.76         link#1             UC          0        0     fxp0 =>

204.107.76.1       0:e0:1e:e9:ad:1    UHLW        1        0     fxp0
858
204.107.76.19      0:e0:29:84:d0:4b   UHLW        2     1864     fxp0
945
204.107.76.111     0:10:4b:14:a7:63   UHLW        0       60     fxp0
859
204.107.76.181     0:3:47:12:3c:51    UHLW        0        8      lo0
208.239.172.50     0:3:47:12:3c:51    UHLS        0        0      lo0 =>

208.239.172.50/32  link#1             UC          0        0     fxp0 =>

Internet6:
Destination                       Gateway
Flags      Neti$::1
::1                           UH          lo0
fe80::%fxp0/64                    link#1
UC         fxp0
fe80::%rl0/64                     link#2
UC          rl0
fe80::%lo0/64                     fe80::1%lo0
Uc          lo0
ff01::/32                         ::1
U           lo0
ff02::%fxp0/32                    link#1
UC         fxp0
ff02::%rl0/32                     link#2
UC          rl0
ff02::%lo0/32                     fe80::1%lo0
UC          lo0








To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message