Date: Tue, 16 May 2000 21:44:19 -0400 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: axtjr@UAA.ALASKA.EDU Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd / ipfw config problem Message-ID: <20000516214419.C58707@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <FDBB706C3FF1D311BE0200902787324601A511@nav.uaa.alaska.edu>; from axtjr@UAA.ALASKA.EDU on Tue, May 16, 2000 at 09:13:43AM -0800 References: <FDBB706C3FF1D311BE0200902787324601A511@nav.uaa.alaska.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 16, 2000 at 09:13:43AM -0800, axtjr@UAA.ALASKA.EDU wrote: > All: > I need some help ironing out the problems with my ipfw/natd configs. > > Problem: > Everything seem to be passing back and forth ok, but I am spammed with > 'failed to write back packet (Host is down)'. > > I can't seem to identify the host in question. > > Setup: > > I've recompiled and installed the kernel with the IPFIREWALL and IPDIVERT > options built in for Freebsd 3.2. > > I have a cable modem setup with a static ip. My intentions are to setup > various services behind a firewall. > > cable modem/internet <-> ed0/firewall/ed1 <-> home lan > > ed0 = staticip netmask 255.255.240.0 > ed1 = 192.168.115.100 > > I have natd setup with: > > interface ed0 > use_sockets yes > redirect_address 192.168.115.100 my.static.ip Why do you have this redirect_address? It really is not doing anything. > > I have the firewall rule set of: > 100 divert 8668 ip from any to any > 200 allow ip from any to any > 65635 deny ip from any to any > > > I've removed all firewall rules except for the three listed above. When I > remove rule number 100, the 'Host is down' errors stop. 'Cause natd(8) does not get any packets. That rule should be, 100 divert 8668 ip from any to any via ed0 > natd fires up ok, ipfw comes up ok, my static ip functions, I can telnet and > ping remote hosts, I can telnet into my box from remote hosts. > > I just get spammed with this (host is down) error message. > > Tests: (All tests conducted from firewall console) > > I've searched through several websites and archives of this list. It seems > that the natd / ipfw / internet connection has alot of potential for various > errors. > > I did find some comments about putting a 'via ed0' at the end of rule 100 > could cause problems, so I removed it with no luck. You should include it. > I read that their could be an arp problem with cable modems, so figuring > that the 255.255.240.0 subnet mask may be causing a headache I manually > added the gateway router to the arp table with arp -S <router ip> <router > MAC>. I don't get this. You say that you think the netmask might be wrong so you put in a manual entry for a router, I assume your default gateway, in the ARP table? > I've followed the guidelines of freebsddiary and the mostgraveconcern.com > guidelines. I see no differences from these setups and my own. > > Anyway help, guidance, pointers to additional docs would be greatly > appreciated. > > >From reviewing the lists this is a difficult configuration, is there any > other software that is equally functional that is easier to configure and > maintain? Well, you say it is actually working, but you get the messages. I don't know how much easier the config could get. You might want to try starting natd(8) from the command line with the -verbose option to see what is going on. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000516214419.C58707>