Date: Fri, 13 Jul 2001 11:21:38 -0400 (EDT) From: Ryan Taylor <rjtaylor@ncia.net> To: <freebsd-stable@FreeBSD.ORG> Cc: Mike Hoskins <mike@adept.org> Subject: Re: $diety, I hate natd. Message-ID: <Pine.LNX.4.30.0107131113240.6380-100000@wolf.ncia.net> In-Reply-To: <Pine.BSF.4.21.0107122019001.4264-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Jul 2001, Mike Hoskins wrote: > On Thu, 12 Jul 2001, Matt Dillon wrote: > > > My new 'firewall' manual page has an ipfw example of a natd setup. > > It might help. You need a relatively recent -stable to have the > > man page. > > I see the page... Thanks, btw. However, it still seems fubar. Like I > said before, natd's configuration looks simple enough, but packets aren't > getting through. If I add an ipfw rule to just allow traffic to the > outside port (8080), I see incoming packets hitting the rule... but no > connection (no real fowarding to the internal ip:port). If I run a > sniffer on the outside interface, I see connection attempts to > 8080... run the same sniffer on the internal interface, nothing. > > My first thought was 'duh, the packets have to get to natd somehow so > redirect_port can actually do something...' but changing the 8080 allow to > a divert doesn't fix the problem. So next I figured one piece of the > conversation was dying... somewhere... I.e. inbound's fine but I'm > fscking something up outbound... but no denied packets in logs. > > It certainly seems like natd's working and ipfw just isn't allowing > packets to get 'into' natd for the redirect. Unfortuneately, I've tried > about everything in ipfw and natd's man page and am still stumped. Then > again, I may very well be taking the wrong approach entirely. I've opened > the firewall completely (allow ip any any...), and it didn't help. > > I knew today would be great when it started with big brother alerts at > 4AM. ;) It wouldn't be so bad if I hadn't had this working before... I > hate that. > > Thanks, > -Mike > > -- > Eat drink and be merry, for tomorrow they may make it illegal. > > Would something like this in your /etc/rc.conf do the trick: natd_flags="-proxy_rule port 8080 server 1.2.3.4:my_divert_port" This should divert incoming packets on port 8080 to the server 1.2.3.4 on port my_divert_port. I use this on a firewall to send web traffic to our cache server. Mine looks like this: natd_flags="-proxy_rule port 80 server 1.2.3.4:3128" RJ --------------------- Ryan J. Taylor Systems/Network Administrator NCIA rj@ncia.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0107131113240.6380-100000>