From owner-freebsd-stable Fri Jul 13 8:21:46 2001 Delivered-To: freebsd-stable@freebsd.org Received: from bobcat.ncia.net (bobcat.ncia.net [207.141.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 7BC6A37B406 for ; Fri, 13 Jul 2001 08:21:42 -0700 (PDT) (envelope-from rjtaylor@ncia.net) Received: from wolf.ncia.net (wolf.ncia.net [207.140.8.22]) by bobcat.ncia.net (8.11.3/8.11.3) with ESMTP id f6DFLdS50089; Fri, 13 Jul 2001 11:21:39 -0400 (EDT) (envelope-from rjtaylor@ncia.net) Received: from localhost (rjtaylor@localhost) by wolf.ncia.net (8.11.3/8.11.3) with ESMTP id f6DFLc415917; Fri, 13 Jul 2001 11:21:38 -0400 Date: Fri, 13 Jul 2001 11:21:38 -0400 (EDT) From: Ryan Taylor To: Cc: Mike Hoskins Subject: Re: $diety, I hate natd. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 12 Jul 2001, Mike Hoskins wrote: > On Thu, 12 Jul 2001, Matt Dillon wrote: > > > My new 'firewall' manual page has an ipfw example of a natd setup. > > It might help. You need a relatively recent -stable to have the > > man page. > > I see the page... Thanks, btw. However, it still seems fubar. Like I > said before, natd's configuration looks simple enough, but packets aren't > getting through. If I add an ipfw rule to just allow traffic to the > outside port (8080), I see incoming packets hitting the rule... but no > connection (no real fowarding to the internal ip:port). If I run a > sniffer on the outside interface, I see connection attempts to > 8080... run the same sniffer on the internal interface, nothing. > > My first thought was 'duh, the packets have to get to natd somehow so > redirect_port can actually do something...' but changing the 8080 allow to > a divert doesn't fix the problem. So next I figured one piece of the > conversation was dying... somewhere... I.e. inbound's fine but I'm > fscking something up outbound... but no denied packets in logs. > > It certainly seems like natd's working and ipfw just isn't allowing > packets to get 'into' natd for the redirect. Unfortuneately, I've tried > about everything in ipfw and natd's man page and am still stumped. Then > again, I may very well be taking the wrong approach entirely. I've opened > the firewall completely (allow ip any any...), and it didn't help. > > I knew today would be great when it started with big brother alerts at > 4AM. ;) It wouldn't be so bad if I hadn't had this working before... I > hate that. > > Thanks, > -Mike > > -- > Eat drink and be merry, for tomorrow they may make it illegal. > > Would something like this in your /etc/rc.conf do the trick: natd_flags="-proxy_rule port 8080 server 1.2.3.4:my_divert_port" This should divert incoming packets on port 8080 to the server 1.2.3.4 on port my_divert_port. I use this on a firewall to send web traffic to our cache server. Mine looks like this: natd_flags="-proxy_rule port 80 server 1.2.3.4:3128" RJ --------------------- Ryan J. Taylor Systems/Network Administrator NCIA rj@ncia.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message