Incoming Mail List disturbed my sleep to write:
> NATD definition
> natd -p 8668 -redirect_port tcp 80 -n de3
> IPFW definitions
> 100 divert 8668 log ip from to
> 300 allow log ip from any to any
> 500 deny log ip from any to any

I *think* the problem with this set of rules is that you're diverting to
natd anything from the private client to the webserver, *but you're not
diverting the replies from the webserver*.  Your request goes to the
webserver with the source address set to (the IP address
on de3).  The webserver sends the reply to, but since that
reply never gets to natd, "knows" it didn't send that request
so it gets dropped silently.

One way around this would be to add a second rule:

        200 divert 8668 log ip from any to

but that may cause problems...natd may drop incoming connections or
replies that it hasn't seen.  Since natd is only seeing requests to, access to other machines may end up broken.

A better/more conventional way of doing it would be:

        100 divert 8668 all via de3

> This results in lots of packets accepted, but I get no output on the
> machine and the browser eventually times out.
> 100 Divert 8669 TCP in via de3
> 300 Accept TCP in via de3
> 300 Accept TCP out via de2
> 300 Accept TCP in via de2
> 300 Accept TCP out via de3

Logs are good, but tcpdump is better -- you get to see the tcp flags.
This looks good, which is why I'm hedging my bet about the divert rules,
but tcpdump on (say) your client, or the machine running natd, would
show a lot more. 

Saint Aardvark the Carpeted
Because the plural of Anecdote is Myth.
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to