NATD: net.inet.ip.fw.default_to_accept=1 vs firewall_type=OPEN
Hello, Handbook section 31.9 describes the setup of NAT. Section 31.9.3 suggests net.inet.ip.fw.default_to_accept=1 during the first attempts to setup a firewall and NAT gateway. Section 31.9.5 suggests I specify a predefined firewall ruleset that allows anything in with firewall_type=OPEN Question: What is the difference between these two configurations (or where can I go to learn the difference between the two)? Thank you, Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NATD: net.inet.ip.fw.default_to_accept=1 vs firewall_type=OPEN
On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz chrisstankev...@gmail.com wrote: Hello, Handbook section 31.9 describes the setup of NAT. Section 31.9.3 suggests net.inet.ip.fw.default_to_accept=1 during the first attempts to setup a firewall and NAT gateway. Section 31.9.5 suggests I specify a predefined firewall ruleset that allows anything in with firewall_type=OPEN Question: What is the difference between these two configurations (or where can I go to learn the difference between the two)? Thank you, Chris Hello, ipfw always has one default rule, standard is 65535 deny ip from any to any If you set net.inet.ip.fw.default_to_accept=1, you get 65535 allow ip from any to any instead. Specifing firewall_type=OPEN gives you an additional rule 65000 allow ip from any to any Now, if for example you execute ``ipfw flush'', thus deleting all rules, this deletes rule 65000, but the default rule stays in effect. With ...default_to_accept=0 ( standard setting ) you now have disabled all network connections and locked yourself out if you're working remote. HTH, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NATD: net.inet.ip.fw.default_to_accept=1 vs firewall_type=OPEN
On Thu, Oct 10, 2013 at 8:22 PM, Michael Ross g...@ross.cx wrote: ipfw always has one default rule, standard is [snip] Specifing firewall_type=OPEN gives you an additional rule Michael, Thank you that is exactly what I am seeing. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
NAT loopback using natd and ipfw
Does anyone know how to get NAT loopback (aka NAT hairpin or NAT reflection) working with natd and ipfw? It seems to work with the in-kernel NAT without the need for configuration, but not if you're using natd. I have a feeling it may be something do do with the ipfw diverted-loopback test in natd but if I experiment and get it wrong it's five hours on the motorway for me. Incidentally, I've set net.inet.ip.fw.one_pass set to 0 but it didn't help. Thanks, Frank. (By NAT loopback I mean the situation when you're using NAT to translate one WAN IP to many local LAN IPs (i.e. the usual). If a LAN machine tries to access the WAN IP, you need NAT to treat it as an incoming connection and port-forward it as appropriate to a LAN IP as if the packet had come from the Internet. This is not weird; it's what most home and small office routers do by default). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw+natd port forward does not work as intended
Hi all
I'm on 192.168.1.62, the server running on 192.168.1.3 and listen to port 1234.
I want any connection going out of my machine to port 1234 to port forward to
192.168.1.3:1234.
But when I attempt to connect to 192.168.1.1:1234 , natd shows following
verbose message:
natd[2051]: Aliasing to 192.168.1.62, mtu 1500 bytes
Out {default}[TCP] [TCP] 192.168.1.62:45642 - 192.168.1.1:1234 aliased to
[TCP] 192.168.1.62:45642 - 192.168.1.1:1234
This is FreeBSD 8.1-RELEASE and the kernel is built with following options:
options IPFIREWALL # Enable ipfw
options IPFIREWALL_FORWARD # Enable ipfw forward
options IPDIVERT
/etc/rc.conf
--
# Enable ipfw firewall
firewall_enable=YES
firewall_script=/etc/rc.firewall.test
# Natd
gateway_enable=YES
natd_enable=YES
natd_interface=msk0
natd_flags=-f /etc/natd.conf
sysctl net.inet.ip.forwarding=1
/etc/rc.firewall.test
---
#!/bin/sh
IFACE=msk0
IPFW=/sbin/ipfw
${IPFW} -f flush
${IPFW} add 100 divert natd ip from any to any 1234 via ${IFACE}
${IPFW} add 6 permit ip from any to any
/etc/natd.conf
-
port 8668
log
verbose
interface msk0
redirect_port tcp 192.168.1.3:1234 1234
Is there any configuration error above?
Best regards
Unga
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
NATD Question
Will natd forward rtmp:// ??? freebsd# cat /etc/natd.conf use_sockets redirect_port tcp 192.168.0.3:3389 10.1.10.172:3389 redirect_port tcp 192.168.0.2:1935 10.1.10.172:1935 redirect_port tcp 192.168.0.2:8790 10.1.10.172:8790 redirect_port tcp 192.168.0.2:6000-6100 10.1.10.172:6000-6100 interface fxp0 log Everything else seems to work just fine. What am I doing wrong ? Michael Kearney Computer Assistant +1 (703) 953-9626 mkear...@nvita.org http://www.nvita.orghttp://www.nvita.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NATD Question
On 8/27/2010 9:14 PM, Michael J. Kearney wrote: Will natd forward rtmp:// ??? I am sure libalias and natd know nothing about rtmp. freebsd# cat /etc/natd.conf use_sockets redirect_port tcp 192.168.0.3:3389 10.1.10.172:3389 redirect_port tcp 192.168.0.2:1935 10.1.10.172:1935 redirect_port tcp 192.168.0.2:8790 10.1.10.172:8790 redirect_port tcp 192.168.0.2:6000-6100 10.1.10.172:6000-6100 interface fxp0 log Everything else seems to work just fine. What am I doing wrong ? Some protos need special handling when an IP address is changed. Are you sure rtmp can be redirected only by changing the destination address? Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw+natd startup order fixing
Hi there, a few months ago I inquired about an issue where using ipfw+natd worked on 8.0 but produced errors in 8.1. After searching the bugs database, I found multiple reports about it - http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 and http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928. Both suggest manually loading ipdivert as a workaround, and fixing the rc scripts as solution. The offending changeset is http://svn.freebsd.org/viewvc/base/stable/8/etc/rc.d/ipfw?r1=196045r2=203962, where natd was changed to be run as a post-cmd instead of a pre-cmd. According to svn, this defect has not been addressed in HEAD yet. I've tried modifying the rc scripts, so that natd becomes a dependency of ipfw - which ought to make it start. However, the rc script is marked as KEYWORD: nostart, which excludes it from the normal startup process and from the listing of 'services -r' (finally noticed this). So an alternative way to fix this would to make natd a standalone script, add a rc dependency, and remove the 'firewall_coscript' juggling in ipfw's rc script. What's the best way to get this problem fixed in svn? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw/natd in 8.1
Since a rebuild to FBSD 8.1, I can't get natd to function correctly. Below is
my ipfw config. It closely follows the example in the Handbook.
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html (30.6.5.7 An
Example NAT and Stateful Ruleset -- Ruleset #1)
firewall config (logging enabled temporarily while troubleshooting)
3 16133 2323153 allow ip from any to any via em0
4 672 144006 allow ip from any to any via lo0
00100965322 divert 8668 log ip from any to any in via fxp0
00101 0 0 check-state
00120644542 skipto 500 log udp from any to any out via fxp0 keep-state
00125 203 49916 skipto 500 log tcp from any to any out via fxp0 setup
keep-state
00130262184 skipto 500 icmp from any to any out via fxp0 keep-state
00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0
00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0
00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0
00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0
00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0
00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0
00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0
00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0
00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0
00400101306 allow log udp from any to any dst-port 53,123 in keep-state
00401 0 0 allow log icmp from any to any icmptypes 0,3,11
00420 91112 allow log tcp from any to me dst-port
20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
0045024 876 deny log logamount 1 ip from any to any
00500 293 56642 divert 8668 log ip from any to any
0051078 21591 allow log ip from any to any
65535 262 18726 deny ip from any to any
/etc/natd.conf
use_sockets
same_ports
unregistered_only
interface fxp0
Natd only properly NATs the first packet out:
# /sbin/natd -v -f /etc/natd.conf
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
natd[10702]: Aliasing to 74.94.69.225, mtu 1500 bytes
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 74.94.69.225:61447 - 65.61.153.152:80
In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
[TCP] 65.61.153.152:80 - 192.168.1.6:61447
In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
[TCP] 65.61.153.152:80 - 192.168.1.6:61447
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
[TCP] 65.61.153.152:80 - 192.168.1.6:61447
In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
[TCP] 65.61.153.152:80 - 192.168.1.6:61447
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 - 65.61.153.152:80
I'm not sure why this happens! Same config worked w/ FBSD 7x.
TIA,
Casey
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw/natd in 8.1
Здравствуйте, Casey.
00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0
00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0
00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0
00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0
00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0
00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0
00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0
00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0
00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0
you can replace that all by:
deny all from any to not me in recv fxp0
in recv/in via are very different things!
CS 00100965322 divert 8668 log ip from any to any in via fxp0
CS 00500 293 56642 divert 8668 log ip from any to any
What are you trying to do by this rules??? what you do is wrong
they do different work with conjactions with keep-state and other
rules in your firewall. Devide logic in your firewall!
What is one_pass option in you kernel?
kes# sysctl -a | grep one_pass
maybe you have 1, but must 0
CS 00420 91112 allow log tcp from any to me dst-port
20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
this rule will not pass packets to undivert I think, or will have some
effect on divert rule
CS 0051078 21591 allow log ip from any to any
this rule is useless!!!
CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 74.94.69.225:61447 - 65.61.153.152:80
CS In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447
before setup all works fine
after setup, you firewall fail. established connections does not work
CS In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447
CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
try to understand divert, then will try keep-state,setup etc.
good luck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: natd in 8.1
I haven't had a chance to work on this yet. I'll be out of town for a little while, and will update the thread upon my arrival. Thanks. Casey - Коньков Евгений kes-...@yandex.ru wrote: Здравствуйте, Casey. What does natd with '-v' options shows? what is aliasing? You must bind natd to external interface NEVER DO: any to any divert!!! NOTICE: no traffice go through this rule CS 05000 00 divert 8668 ip from any to any out via fxp0 NEVER DO: open firewall because of security reasons CS 0500129 1484 allow ip from any to any All 'ALLOW' rules are useless! because of 5001 rule You drop all traffic before divert ;-) this make me confused a little CS 04000 75224282 deny log logamount 1 ip from any to any CS 05000 00 divert 8668 ip from any to any out via fxp0 NOTICE: CS 0120029 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state maybe there some bugs in ipfw, try 4999 Please post where problem were for other readers with same question thank Вы писали 18 мая 2010 г., 18:51:10: CS I recently rebuilt a server from 7.x to 8.x. Using the exact CS same firewall natd config, natd appears not to be aliasing the CS private address when the traffic leaves the external interface. CS When sniffing traffic w/ tcpdump, I see the private address as the CS source address on the outbound request. CS e.g. CS 192.168.1.1 = internal source of request CS 74.75.76.77 = public address (website) CS 12.13.14.15 = CSInternalExternal 192.168.1.10 - 74.75.76.77(NAT) 192.168.1.10 - 74.75.76.77 CS Rather than it should be: CSInternalExternal 192.168.1.10 - 74.75.76.77(NAT) 12.13.14.15 - 74.75.76.77 CS Watching natd with ktrace shows that no traffic gets passed to CS natd when the source is internal, however external traffic passes through it. CS Firewall config: CS --- CS 00200 11946 3204818 allow ip from any to any via lo0 CS 00300 00 deny ip from any to 127.0.0.0/8 CS 0030110 528 deny ip from any to 74.94.69.225 dst-port 445 CS 00302 1 78 deny ip from any to 74.94.69.225 dst-port 137 CS 00303 9 544 deny ip from any to 74.94.69.225 dst-port 135 CS 00304 00 deny ip from 224.0.0.0/4 to any via fxp0 CS 00305 67118788 deny ip from any to 224.0.0.0/4 via fxp0 CS 01000 9093 1158436 allow ip from any to any via em0 CS 01050 51045 5205047 divert 8668 ip from any to any in via fxp0 CS 01100 00 check-state CS 01100 69183 83429465 allow ip from me to any CS 0120029 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state CS 01201 00 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state CS 01202 45002 4690467 allow ip from any to any established CS 01800 142172620 allow tcp from any to me dst-port 20,21,53,76,80,123,443 CS 01900 3 194 allow ip from 216.251.112.0/24,208.95.100.4 to any CS 02000 530 127559 allow udp from any 53 to any CS 02100 83459414 allow udp from any to any dst-port 53 CS 02150 1930 146680 allow udp from any 123 to me dst-port 123 CS 02200 46839312 allow icmp from any to any icmptypes 0,3,11 CS 04000 75224282 deny log logamount 1 ip from any to any CS 05000 00 divert 8668 ip from any to any out via fxp0 CS 0500129 1484 allow ip from any to any CS 65535 00 deny ip from any to any CS --- CS natd.conf CS --- CS use_sockets CS same_ports CS unregistered_only CS interface fxp0 CS redirect_port tcp 192.168.1.82:82 82 CS redirect_port tcp 192.168.1.41:8082 8082 CS redirect_port tcp 192.168.1.3:3389 3389 CS redirect_port udp 192.168.1.3:3389 3389 CS redirect_port tcp 192.168.1.6:6881-6889 6881-6889 CS --- CS As I previously stated, this exact same config worked great in CS 7.x. I built a kernel in 8.x w/ IPFIREWALL IPDIVERT, and CS reviewed UPDATING. Have I missed something? CS TIA, CS Casey CS ___ CS freebsd-questions@freebsd.org mailing list CS http://lists.freebsd.org/mailman/listinfo/freebsd-questions CS To unsubscribe, send any mail to CS freebsd-questions-unsubscr...@freebsd.org -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail
natd in 8.1
I recently rebuilt a server from 7.x to 8.x. Using the exact same firewall natd config, natd appears not to be aliasing the private address when the traffic leaves the external interface. When sniffing traffic w/ tcpdump, I see the private address as the source address on the outbound request. e.g. 192.168.1.1 = internal source of request 74.75.76.77 = public address (website) 12.13.14.15 = InternalExternal 192.168.1.10 - 74.75.76.77(NAT) 192.168.1.10 - 74.75.76.77 Rather than it should be: InternalExternal 192.168.1.10 - 74.75.76.77(NAT) 12.13.14.15 - 74.75.76.77 Watching natd with ktrace shows that no traffic gets passed to natd when the source is internal, however external traffic passes through it. Firewall config: --- 00200 11946 3204818 allow ip from any to any via lo0 00300 00 deny ip from any to 127.0.0.0/8 0030110 528 deny ip from any to 74.94.69.225 dst-port 445 00302 1 78 deny ip from any to 74.94.69.225 dst-port 137 00303 9 544 deny ip from any to 74.94.69.225 dst-port 135 00304 00 deny ip from 224.0.0.0/4 to any via fxp0 00305 67118788 deny ip from any to 224.0.0.0/4 via fxp0 01000 9093 1158436 allow ip from any to any via em0 01050 51045 5205047 divert 8668 ip from any to any in via fxp0 01100 00 check-state 01100 69183 83429465 allow ip from me to any 0120029 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state 01201 00 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state 01202 45002 4690467 allow ip from any to any established 01800 142172620 allow tcp from any to me dst-port 20,21,53,76,80,123,443 01900 3 194 allow ip from 216.251.112.0/24,208.95.100.4 to any 02000 530 127559 allow udp from any 53 to any 02100 83459414 allow udp from any to any dst-port 53 02150 1930 146680 allow udp from any 123 to me dst-port 123 02200 46839312 allow icmp from any to any icmptypes 0,3,11 04000 75224282 deny log logamount 1 ip from any to any 05000 00 divert 8668 ip from any to any out via fxp0 0500129 1484 allow ip from any to any 65535 00 deny ip from any to any --- natd.conf --- use_sockets same_ports unregistered_only interface fxp0 redirect_port tcp 192.168.1.82:82 82 redirect_port tcp 192.168.1.41:8082 8082 redirect_port tcp 192.168.1.3:3389 3389 redirect_port udp 192.168.1.3:3389 3389 redirect_port tcp 192.168.1.6:6881-6889 6881-6889 --- As I previously stated, this exact same config worked great in 7.x. I built a kernel in 8.x w/ IPFIREWALL IPDIVERT, and reviewed UPDATING. Have I missed something? TIA, Casey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: natd in 8.1
Здравствуйте, Casey. What does natd with '-v' options shows? what is aliasing? You must bind natd to external interface NEVER DO: any to any divert!!! NOTICE: no traffice go through this rule CS 05000 00 divert 8668 ip from any to any out via fxp0 NEVER DO: open firewall because of security reasons CS 0500129 1484 allow ip from any to any All 'ALLOW' rules are useless! because of 5001 rule You drop all traffic before divert ;-) this make me confused a little CS 04000 75224282 deny log logamount 1 ip from any to any CS 05000 00 divert 8668 ip from any to any out via fxp0 NOTICE: CS 0120029 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state maybe there some bugs in ipfw, try 4999 Please post where problem were for other readers with same question thank Вы писали 18 мая 2010 г., 18:51:10: CS I recently rebuilt a server from 7.x to 8.x. Using the exact CS same firewall natd config, natd appears not to be aliasing the CS private address when the traffic leaves the external interface. CS When sniffing traffic w/ tcpdump, I see the private address as the CS source address on the outbound request. CS e.g. CS 192.168.1.1 = internal source of request CS 74.75.76.77 = public address (website) CS 12.13.14.15 = CSInternalExternal 192.168.1.10 - 74.75.76.77(NAT) 192.168.1.10 - 74.75.76.77 CS Rather than it should be: CSInternalExternal 192.168.1.10 - 74.75.76.77(NAT) 12.13.14.15 - 74.75.76.77 CS Watching natd with ktrace shows that no traffic gets passed to CS natd when the source is internal, however external traffic passes through it. CS Firewall config: CS --- CS 00200 11946 3204818 allow ip from any to any via lo0 CS 00300 00 deny ip from any to 127.0.0.0/8 CS 0030110 528 deny ip from any to 74.94.69.225 dst-port 445 CS 00302 1 78 deny ip from any to 74.94.69.225 dst-port 137 CS 00303 9 544 deny ip from any to 74.94.69.225 dst-port 135 CS 00304 00 deny ip from 224.0.0.0/4 to any via fxp0 CS 00305 67118788 deny ip from any to 224.0.0.0/4 via fxp0 CS 01000 9093 1158436 allow ip from any to any via em0 CS 01050 51045 5205047 divert 8668 ip from any to any in via fxp0 CS 01100 00 check-state CS 01100 69183 83429465 allow ip from me to any CS 0120029 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state CS 01201 00 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state CS 01202 45002 4690467 allow ip from any to any established CS 01800 142172620 allow tcp from any to me dst-port 20,21,53,76,80,123,443 CS 01900 3 194 allow ip from 216.251.112.0/24,208.95.100.4 to any CS 02000 530 127559 allow udp from any 53 to any CS 02100 83459414 allow udp from any to any dst-port 53 CS 02150 1930 146680 allow udp from any 123 to me dst-port 123 CS 02200 46839312 allow icmp from any to any icmptypes 0,3,11 CS 04000 75224282 deny log logamount 1 ip from any to any CS 05000 00 divert 8668 ip from any to any out via fxp0 CS 0500129 1484 allow ip from any to any CS 65535 00 deny ip from any to any CS --- CS natd.conf CS --- CS use_sockets CS same_ports CS unregistered_only CS interface fxp0 CS redirect_port tcp 192.168.1.82:82 82 CS redirect_port tcp 192.168.1.41:8082 8082 CS redirect_port tcp 192.168.1.3:3389 3389 CS redirect_port udp 192.168.1.3:3389 3389 CS redirect_port tcp 192.168.1.6:6881-6889 6881-6889 CS --- CS As I previously stated, this exact same config worked great in CS 7.x. I built a kernel in 8.x w/ IPFIREWALL IPDIVERT, and CS reviewed UPDATING. Have I missed something? CS TIA, CS Casey CS ___ CS freebsd-questions@freebsd.org mailing list CS http://lists.freebsd.org/mailman/listinfo/freebsd-questions CS To unsubscribe, send any mail to CS freebsd-questions-unsubscr...@freebsd.org -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw natd rules not loading on startup
Just a sidenote:
On Sat, 15 May 2010 02:33:10 +0200, umage theultram...@gmail.com wrote:
However, if I
run the script manually, or call it from the end of /etc/rc, it will add
these rules as well. Currently I am using a workaround.
It's not a good idea to modify /etc/rc. In your case, using the
mechanism s of /etc/rc(.shutdown).local is a good way to call
scripts that do not fit the rc.d concept. See man rc.local
for details.
So I would suggest something for /etc/rc.local like this:
#!/bin/sh
if [ -z ${source_rc_confs_defined} ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
elif [ -r /etc/rc.conf.local ]; then
. /etc/rc.conf.local
fi
fi
echo -n custom-firewall
/your/firewall/script.sh --here
The final dot + newline in the messages will be added by rc,
if I remember correctly.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw natd rules not loading on startup
I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type divert natd. However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. I could not find any mention of warnings or errors in the logs. I couldn't find any way of making ipfw log errors. I tried piping my script's output to a file, but it did not say anything useful. Noone I asked knew what to do. I noticed that there has been a revamp of ipfw and its supporting scripts recently, so it's possible something broke along the way (for example, a missing rc dependency on natd?). Advice would be appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw natd rules not loading on startup
On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote: I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type divert natd. However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. Best to ask -STABLE. There's been some breakage of ipfw since end of April. I'm unsure as to whether they've all be resolved yet. Cheers. -- Jonathan Chen | To do is to be -- Nietzsche j...@chen.org.nz | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
natd opening partition
Hey there, I run a test server here at the house that also runs natd to share internet across the network. The past few weeks my free space on /var was running dangerously low. After some investigation, I found out that the used space was actually an open file, and here is what lsof showed me: natd 1736 root4w VREG 0,84 410420438 23670 /var (/dev/ad4s1d) Normally, natd is only supposed to open it's log file: natd 34254 root4w VREG 0,84 218703 23582 /var/log/alias.log I've since disabled logging to alias.log and the problem has not re-occurred, however I would still like to know what I could have done to cause that, or if maybe it's some kind of bug. -Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Migrating from ipfw and natd to pf
Is there a good guide somewhere for migrating from ipfw and natd rules to pf? I had pretty much gotten used to ipfw, and now pf seems very different to use and understand. -- John Lind j...@starfire.mn.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Migrating from ipfw and natd to pf
On Tue, 9 Feb 2010 08:59:07 -0600 John j...@starfire.mn.org wrote: Is there a good guide somewhere for migrating from ipfw and natd rules to pf? I had pretty much gotten used to ipfw, and now pf seems very different to use and understand. http://www.openbsd.org/faq/pf/index.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Migrating from ipfw and natd to pf
On Tue, 9 Feb 2010 10:54:45 -0600 John j...@starfire.mn.org wrote: On Tue, Feb 09, 2010 at 03:31:34PM +, RW wrote: On Tue, 9 Feb 2010 08:59:07 -0600 John j...@starfire.mn.org wrote: Is there a good guide somewhere for migrating from ipfw and natd rules to pf? I had pretty much gotten used to ipfw, and now pf seems very different to use and understand. http://www.openbsd.org/faq/pf/index.html Please keep on-topic replies in-list to help people who are searching the list. OK - I guess it's all in there somewhere! Most of what you need to know is in the Basic Configuration section - it's not much, pf is much easier than ipfw. I'm confused, though. I thought pf was a part of the regular kernel? But I do not have a /dev/pf: The kernel module is loaded by the rc.d script if you enable pf in rc.conf, check /etc/defaults/rc.conf for more details. The rc.d script also has a few useful extra options for checking syntax and reloading rules without disrupting connections. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can loader.conf give you NATD support?
The natd man page says it is still necessary to create a customer kernl with options IPFIREWALL options IPDIVERT Is that still true, or can it be accomplished vi a loader.conf? Thanks! -- John Lind j...@starfire.mn.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can loader.conf give you NATD support?
On Mon, 8 Feb 2010, John wrote: The natd man page says it is still necessary to create a customer kernl with options IPFIREWALL options IPDIVERT Is that still true, or can it be accomplished vi a loader.conf? It's a kernel option, so you probably can't do it at runtime. Consider using pf instead of ipfw. pf does NAT without needing natd or those kernel options. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can loader.conf give you NATD support?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/02/2010 15:39, Warren Block wrote: On Mon, 8 Feb 2010, John wrote: The natd man page says it is still necessary to create a customer kernl with options IPFIREWALL options IPDIVERT Is that still true, or can it be accomplished vi a loader.conf? It's a kernel option, so you probably can't do it at runtime. It's a loadable module (ipfw_nat.ko) nowadays, so you probably can do it at runtime... Consider using pf instead of ipfw. pf does NAT without needing natd or those kernel options. Heartily seconded. pf and ipfw fulfil the same sort of function, but to my mind, pf wins hands down simply by having a much more usable control interface and configuration syntax. Not to mention the advanced pf features like ftp-proxy, HA configuration, relayd and a bunch more. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktwOHkACgkQ8Mjk52CukIwuuwCeJwUl0RH1nSqIfYZimP7sO1hW ZZMAnjP1ZXWZVVZsPQA4YEFPtXHMWs1c =r3ny -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can loader.conf give you NATD support?
On Mon, Feb 08, 2010 at 08:39:14AM -0700, Warren Block wrote: On Mon, 8 Feb 2010, John wrote: The natd man page says it is still necessary to create a customer kernl with options IPFIREWALL options IPDIVERT Is that still true, or can it be accomplished vi a loader.conf? It's a kernel option, so you probably can't do it at runtime. Consider using pf instead of ipfw. pf does NAT without needing natd or those kernel options. Oh. OK! That must be new since the last time I did this. Will it be difficult to port my ipfw and natd rules to pf? -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- John Lind j...@starfire.mn.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
natd is with high cpu use
Hello, The natd is with 100% cpu usage. What is the issue ? can you help me with that ? CPU: 3.4% user, 0.0% nice, 22.2% system, 9.5% interrupt, 64.9% idle Mem: 161M Active, 493M Inact, 345M Wired, 652K Cache, 417M Buf, 2934M Free Swap: 4096M Total, 4096M Free PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 52273 root 1 1180 13200K 1640K CPU22 32:52 99.07% natd 833 nobody 1 440 11068K 4864K select 3 3:03 0.00% openvpn Regards, Savi DISCLAIMER : This email and any files transmitted with it are property of Poornam Info Vision Pvt. Ltd. This email contains confidential information intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Poor throughput with natd
Please copy me on replies. I am testing ipfw and natd on a gateway machine running FreeBSD 7.2-STABLE #0: Tue Oct 27 00:12:39 PDT 2009 with the generic kernel. ipfw.ko and ipdivert.ko are loaded as modules, since they're not part of the GENERIC kernel. The symptom is that scp uploads from the gateway machine have very poor throughput, often showing stalled status in the scp progress output. Machines on the LAN do not suffer this problem, and can upload their traffic via NAT with no observed degradation in throughput. That's why I haven't noticed this problem until recently, when I tried rsync-ing some files outbound from the gateway to a remote machine. I can work around the problem, but this problem has never cropped up in the past. Is there a problem in my configuration, or in recent natd? Thanks for your time! Jim All commands below were executed on the gateway machine that is running natd with very basic options: 15:07:37 /root# findps natd root480 0.0 0.1 3388 1252 ?? Ss 12Nov09 4:32.81 natd -n fxp1 Here are the ipfw rules: 14:55:41 /root# ipfw show 00100 94930656746770 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 0040077293 8699526 divert 8668 ip from any to any via fxp1 00500 35245946 28535731864 allow ip from any to any 655350 0 deny ip from any to any Downloading, scp has no trouble: 14:55:59 /root# scp -p remote:public_html/video/tatra1.mpg . tatra1.mpg 100% 85MB 559.4KB/s 02:36 But uploads stall. This scp process was killed after about 60 seconds: 14:58:40 /root# scp -p tatra1.mpg remote:/tmp/ tatra1.mpg 0% 320KB 1.8KB/s - stalled -^CKilled by signal 2. Deleting the DIVERT rule eliminates the stalling: 14:59:54 /root# ipfw delete 400 15:00:04 /root# scp -p tatra1.mpg remote:/tmp/ tatra1.mpg 27% 23MB 248.2KB/s 04:14 ETA^CKilled by signal 2. But of course, it also eliminates NAT. 15:01:14 /root# ipfw add 400 divert 8668 ip from any to any via fxp1 00400 divert 8668 ip from any to any via fxp1 Adding this rule works around the natd throughput problem: 15:01:29 /root# ipfw add 350 allow all from me to any via fxp1 00350 allow ip from me to any via fxp1 15:02:03 /root# scp -p tatra1.mpg remote:/tmp/ tatra1.mpg 100% 85MB 266.9KB/s 05:27 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Poor throughput with natd
In freebsd-questions Digest, Vol 286, Issue 4, Message 16
On Mon, 23 Nov 2009 15:28:12 -0800 James Long l...@museum.rain.com wrote:
Please copy me on replies.
I am testing ipfw and natd on a gateway machine running FreeBSD
7.2-STABLE #0: Tue Oct 27 00:12:39 PDT 2009 with the generic
kernel. ipfw.ko and ipdivert.ko are loaded as modules, since
they're not part of the GENERIC kernel.
The symptom is that scp uploads from the gateway machine have
very poor throughput, often showing stalled status in the scp
progress output.
Machines on the LAN do not suffer this problem, and can upload
their traffic via NAT with no observed degradation in throughput.
That's why I haven't noticed this problem until recently, when I
tried rsync-ing some files outbound from the gateway to a remote
machine.
I can work around the problem, but this problem has never cropped
up in the past. Is there a problem in my configuration, or in
recent natd?
Thanks for your time!
Hi Jim,
among the over-copious notes in my rc.firewall is:
#% Julian Elischer, 22Oct06 in freebsd-net:
# one thing that you need to name sure of is that only the packets that
# have potential of being on interest to natd are passed to natd.
# i.e. be VERY specific in your natd rules..
#
# ipfw add 1000 divert natd ip from any to any out recv {inner-ineterface}
#xmit {outer-interface}.
# ipfw add 1001 divert natd ip from any to {inner-interface-address} in
#recv {outer-interface}.
#
# don't waste natd's time with packets it doesn't care about.
1001 is actually not quite right, I'll get to that, but the principle is
correct; the only packets natd can do anything useful with are these:
a) going OUT on the external interface that were received on internal
interface, so needing source address translation to the outside address.
b) coming IN on the external interface, which MAY match previous (a)
packets, so requiring destination address remapping to an internal IP.
In the case you outline, the scp is happening between this box itself
and an outside host so are of no interest to natd, costing extra time.
All commands below were executed on the gateway machine that is
running natd with very basic options:
15:07:37 /root# findps natd
root480 0.0 0.1 3388 1252 ?? Ss 12Nov09 4:32.81 natd -n fxp1
Here I rather use -a ${ext_ip} but that probably doesn't matter.
Here are the ipfw rules:
14:55:41 /root# ipfw show
00100 94930656746770 allow ip from any to any via lo0
002000 0 deny ip from any to 127.0.0.0/8
003000 0 deny ip from 127.0.0.0/8 to any
0040077293 8699526 divert 8668 ip from any to any via fxp1
00500 35245946 28535731864 allow ip from any to any
655350 0 deny ip from any to any
Try, where ext_if=fxp1, int_if=$your_internal_if and ext_ip=$yours
ipfw add 400 divert natd ip from any to any out recv $int_if xmit $ext_if
ipfw add 410 divert natd ip from any to $ext_ip in recv $ext_if
Apart from not passing natd undivertable packets, use of 'via' here has
natd being called at least once and maybe twice on each packet coming or
going on the outside interface, including those from the host itself.
Downloading, scp has no trouble:
14:55:59 /root# scp -p remote:public_html/video/tatra1.mpg .
tatra1.mpg 100%
85MB 559.4KB/s 02:36
But uploads stall. This scp process was killed after about 60 seconds:
Might there be an MTU issue as well? Anything in /etc/natd.conf?
Despite that the above divert rules will prevent outbound host traffic
being diverted at all, I'm still surprised natd's impact was so severe?
14:58:40 /root# scp -p tatra1.mpg remote:/tmp/
tatra1.mpg0%
320KB 1.8KB/s - stalled -
^CKilled by signal 2.
Deleting the DIVERT rule eliminates the stalling:
14:59:54 /root# ipfw delete 400
15:00:04 /root# scp -p tatra1.mpg remote:/tmp/
tatra1.mpg 27%
23MB 248.2KB/s 04:14 ETA
^CKilled by signal 2.
But of course, it also eliminates NAT.
15:01:14 /root# ipfw add 400 divert 8668 ip from any to any via fxp1
00400 divert 8668 ip from any to any via fxp1
Adding this rule works around the natd throughput problem:
15:01:29 /root# ipfw add 350 allow all from me to any via fxp1
00350 allow ip from me to any via fxp1
15:02:03 /root# scp -p tatra1.mpg remote:/tmp/
tatra1.mpg 100%
85MB 266.9KB/s 05:27
350 has same effect as putting the selective requirements on outbound
divert. You still need to check inbound packets for possible NAT'ing.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
Re: webserver and natd
On Wed, Sep 2, 2009 at 1:02 AM, Razvan Cristea cristea.raz...@yahoo.comwrote: Hello, i have a webserver useing freebsd 7.2 and i user the same server to route internet to a local network. the internet on the local network is working fine but the sites from the webserver are loading verry slow. i fave this configuration in rc.conf: firewall_enable=YES firewall_type=open firewall_logging=YES gateway_enable=YES natd_enable=YES natd_interface=bce0 Can you please help me? The server needs to know itself either via local DNS or via /etc/hosts So you may need entries in, say, /etc/hosts for every website running on it. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ If you have nothing good to say about someone, just shut up!. -- Lucky Dube ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: webserver and natd
Solved. It's a bug in version 7.2 info here: http://groups.google.com/group/muc.lists.freebsd.stable/browse_thread/thread/35f137a0e43b3175/d317dc58af6d4be2 Cu prietenie, Razvan Cristea = http://www.adventube.ro = --- On Thu, 9/3/09, Odhiambo Washington odhia...@gmail.com wrote: From: Odhiambo Washington odhia...@gmail.com Subject: Re: webserver and natd To: Razvan Cristea cristea.raz...@yahoo.com Cc: freebsd-questions@freebsd.org Date: Thursday, September 3, 2009, 1:07 PM On Wed, Sep 2, 2009 at 1:02 AM, Razvan Cristea cristea.raz...@yahoo.com wrote: Hello, i have a webserver useing freebsd 7.2 and i user the same server to route internet to a local network. the internet on the local network is working fine but the sites from the webserver are loading verry slow. i fave this configuration in rc.conf: firewall_enable=YES firewall_type=open firewall_logging=YES gateway_enable=YES natd_enable=YES natd_interface=bce0 Can you please help me? The server needs to know itself either via local DNS or via /etc/hosts So you may need entries in, say, /etc/hosts for every website running on it. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ If you have nothing good to say about someone, just shut up!. -- Lucky Dube ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
webserver and natd
Hello, i have a webserver useing freebsd 7.2 and i user the same server to route internet to a local network. the internet on the local network is working fine but the sites from the webserver are loading verry slow. i fave this configuration in rc.conf: firewall_enable=YES firewall_type=open firewall_logging=YES gateway_enable=YES natd_enable=YES natd_interface=bce0 Can you please help me? Cu prietenie, Razvan Cristea = http://www.adventube.ro = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: webserver and natd
Razvan Cristea wrote: Hello, i have a webserver useing freebsd 7.2 and i user the same server to route internet to a local network. the internet on the local network is working fine but the sites from the webserver are loading verry slow. i fave this configuration in rc.conf: firewall_enable=YES firewall_type=open firewall_logging=YES gateway_enable=YES natd_enable=YES natd_interface=bce0 Can you please help me? Do you have a proper DNS name set up for the IP that the web server is running on? How are you accessing the web server... by name or IP? I'll assume that you are using Apache. What does the ServerName directive say? Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: webserver and natd
Razvan Cristea wrote: Razvan Cristea wrote: Hello, i have a webserver useing freebsd 7.2 and i user the same server to route internet to a local network. the internet on the local network is working fine but the sites from the webserver are loading verry slow. i fave this configuration in rc.conf: firewall_enable=YES firewall_type=open firewall_logging=YES gateway_enable=YES natd_enable=YES natd_interface=bce0 Can you please help me? Do you have a proper DNS name set up for the IP that the web server is running on? How are you accessing the web server... by name or IP? I'll assume that you are using Apache. What does the ServerName directive say? The webserver works just fine when the firewall is not enabeled. But when i enabele any firewall the webserver seems to be overloaded or something and loads the pages verry slow. The problem is that natd is not working without firewall activated. i have apache (directadmin cpanel) It's been years since I've needed to use NAT, so unfortunately, I can't help here. I'm sure someone else will speak up. If nothing comes up in the next while, perhaps asking on -ipfw will help (but do not cross-post). Steve smime.p7s Description: S/MIME Cryptographic Signature
NATD Reverse Proxy
Hi, I'm trying to build a server that will act as a gateway between my wireless network and the rest of the world. Here's an overview of the current setup: 1. FreeBSD 7.1 2. isc-dhcp3-server-3.0.5_2 3. natd configured to connect fxp0 (public network, dynamic IP) to fxp1 (private network, static IP) 4. ipfw 5. bind 6. apache 2.2 7. php 5.2.6 Right now, when someone connects to the private net, they get an IP address and can connect to the Internet no problemo. So, this is all working so far. What I'd like to do next is this: When someone obtains an IP address, I'm going to configure DHCP to block that IP using IPFW initially, and I'd like to redirect any requests that come from that IP to port 80 or 443 to be silently redirected to the local Apache installation, where the user can enter their login and password. Once they've been authenticated, the firewall will allow them to connect out to everywhere else. So, it seems to me that I need to use natd again to do a silent proxy of traffic from certain IPs on the private net to the server box. But, since I'm already using natd, I'm a little perplexed about how to set this up. Do I need to run a second instance of natd on a different port, and then update the firewall rules to divert to one or the other based on the user's authentication status? Or can this all be configured in one natd instance? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD Reverse Proxy
Tim Gustafson wrote: Hi, I'm trying to build a server that will act as a gateway between my wireless network and the rest of the world. Here's an overview of the current setup: 1. FreeBSD 7.1 2. isc-dhcp3-server-3.0.5_2 3. natd configured to connect fxp0 (public network, dynamic IP) to fxp1 (private network, static IP) 4. ipfw 5. bind 6. apache 2.2 7. php 5.2.6 Right now, when someone connects to the private net, they get an IP address and can connect to the Internet no problemo. So, this is all working so far. What I'd like to do next is this: When someone obtains an IP address, I'm going to configure DHCP to block that IP using IPFW initially, and I'd like to redirect any requests that come from that IP to port 80 or 443 to be silently redirected to the local Apache installation, where the user can enter their login and password. Once they've been authenticated, the firewall will allow them to connect out to everywhere else. So, it seems to me that I need to use natd again to do a silent proxy of traffic from certain IPs on the private net to the server box. But, since I'm already using natd, I'm a little perplexed about how to set this up. Do I need to run a second instance of natd on a different port, and then update the firewall rules to divert to one or the other based on the user's authentication status? Or can this all be configured in one natd instance? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 Someone else's wheel, for perusal, at least: http://www.shmoo.com/~bmc/software/wicap/announce.html The tarball is still up there. HTH, Kevin Kinsey -- If you do not think about the future, you cannot have one. -- John Galsworthy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD Reverse Proxy
I'm trying to build a server that will act as a gateway between my wireless network and the rest of the world. Here's an overview of the current setup: 1. FreeBSD 7.1 2. isc-dhcp3-server-3.0.5_2 3. natd configured to connect fxp0 (public network, dynamic IP) to fxp1 (private network, static IP) 4. ipfw 5. bind 6. apache 2.2 7. php 5.2.6 Right now, when someone connects to the private net, they get an IP address and can connect to the Internet no problemo. So, this is all working so far. What I'd like to do next is this: When someone obtains an IP address, I'm going to configure DHCP to block that IP using IPFW initially, and I'd like to redirect any requests that come from that IP to port 80 or 443 to be silently redirected to the local Apache installation, where the user can enter their login and password. Once they've been authenticated, the firewall will allow them to connect out to everywhere else. I think that monowall (or pfsense) do that for you. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd and ipfw external hangs
Hello, I recently upgraded to 7.0-STABLE and have setup an ipfw+natd combo on my dual homed host. I have two interfaces: em0 - external interface to the net 24.205.x.x sk0 - internal interface 192.168.x.x When users connect on the 192.168.x.x internal network everything works great. Packets get out to the net and back to the originating machine with no delays. So, natd seems to be doing the right thing. The server (24.205.x.x) can directly connect to the internet for all services - no problems there. The problem is external users. When they hit the webserver at 24.205.x.x the text portion of the pages load quickly. A few images load, and then the rest of the page hangs for quite some time. When I check the connection on my side with netstat -a I see a lot of these: tcp4 0 0 server.http 41.221.19.24.62422 FIN_WAIT_2 tcp4 0 0 server.http 41.221.19.24.62401 FIN_WAIT_2 tcp4 0 0 server.http 203.215.120.236.1686 FIN_WAIT_2 So it seems the connection is just hanging for some reason. I opened my firewall up completely, taking natd out of the equation and the external problem was solved. So, I'm suspecting a bad config in my firewall rules, or a bad config in my natd. So I created an open firewall that also uses natd to see if I could get things working. Here are the rules (complete with comments from the fbsd handbook): #!/bin/sh IPFW=ipfw -q add ipfw -q -f flush # No restrictions on Inside LAN Interface for private network $IPFW 10 allow all from any to any via sk0 # No restrictions on loopback interface $IPFW 20 allow all from any to any via lo0 # check if packet is inbound and nat address if it is $IPFW 30 divert natd ip from any to any in via em0 # Allow the packet through if it has previously been added to the # the dynamic rules table by an allow keep-state statement. $IPFW 50 check-state # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destined for the public Internet. # Basically, let everything out. $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destined for this gateway server or the private network. # Basically, let everything in to me. $IPFW 70 allow all from any to me in via em0 setup limit src-addr 2 # This is skipto location for outbound stateful rules $IPFW 500 divert natd ip from any to any out via em0 $IPFW 600 allow ip from any to any $IPFW 800 deny all from any to any and my natd setup: gateway_enable=YES firewall_enable=YES firewall_script=/etc/ipfw.rules natd_enable=YES natd_interface=em0 natd_flags=-dynamic -m and in my kernel: # For Network Address Translation (NAT) options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT How can I successfully eliminate the external hangs without loosing natd for the internal users? Any ideas greatly appreciated! Thanks, Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NATD crash in 7.0-stable
Hiya, I'm having problems with NAT crashing my FreeBSD box. This never happened in 6.x but in 7.x it's predictable for me. Any time I use either of my two NICs for my internal net my FreeBSD box hangs and requires power cycling to reboot. My guess is that some option changed between 6.x and 7.x and I simply missed it, or that I have something configured completely improperly, but after hours of tinkering I've yet to fix the problem. Initially I figured it might be NAT in PPP which was causing the problem, so I backed it out and used NATD but the same thing happens to me. uname info: 7.0-STABLE FreeBSD 7.0-STABLE #0: Sun Jun 15 21:35:13 PDT 2008 my ipfw rules: 00100 0 0 check-state 00200 1678471 126337051 skipto 3000 ip from any to 69.229.113.78 in recv tun0 00210 0 0 deny log ip from any to any in recv vr0 03000 61 4548 divert 8668 ip from any to any via fxp0 03100 0 0 deny ip from 192.168.32.0/24 to any in recv vr0 *snip* My FreeBSD box runs PPP on vr0 and my lan runs on fxp0. I've switched them and the freeze-up continues. The host on my LAN is 192.168.32.10, my internal interface is 192.168.32.1 and my external interface is 69.229.113.78. my /usr/local/etc/natd.conf: #unregistered_only #log_ipfw_denied redirect_address192.168.32.10 69.229.113.74 #punch_fw 25:50 interface fxp0 I commented out a few lines to test it bare-bones. No luck. I added these to my kernel config, which is otherwise a very standard GENERIC kernel config: options IPFIREWALL options IPDIVERT the related entries from /etc/rc.conf: ppp_enable=YES ppp_mode=ddial #ppp_nat=YES ppp_profile=sbc gateway_enable=YES my /etc/ppp/ppp.conf: default: set log Phase Chat LCP IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 192.168.0.0/16 sbc: set device PPPoE:vr0 set authname [EMAIL PROTECTED] set authkey MYPASSWORD set dial set login set mru 1492 set mtu 1492 accept lqr set crtscts off set speed sync enable dns add default HISADDR set log Phase Chat LCP IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 192.168.0.0/16 # NAT nat enable yes nat log no # nat same_ports yes # nat unregistered_only yes nat addr 192.168.32.10 69.229.113.73 Again, NAT is turned off in PPP at the moment and I'm using /sbin/natd Machine connects to the net and works great until I try to use the LAN. the LAN works for a few seconds, maybe serving up a web page or two and then...freeze up. I never saw the machine recover from this situation though there is a crash dump in /var/crash from late last night after I wasn't paying attention: # ls -lart /var/crash total 218618 -rw-r--r-- 1 root wheel 5 Feb 24 09:53 minfree drwxr-xr-x 25 root wheel512 Jun 15 23:12 .. -rw--- 1 root wheel462 Jun 15 23:12 info.0 -rw-r--r-- 1 root wheel 2 Jun 15 23:12 bounds drwxr-x--- 2 root wheel512 Jun 15 23:12 . -rw--- 1 root wheel 225533952 Jun 15 23:12 vmcore.0 here is my dmesg: Copyright (c) 1992-2008 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-STABLE #0: Sun Jun 15 21:35:13 PDT 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/bigshed Timecounter i8254 frequency 1193182 Hz quality 0 CPU: AMD Sempron(tm) 3000+ (1999.79-MHz 686-class CPU) Origin = AuthenticAMD Id = 0x6a0 Stepping = 0 Features=0x383fbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE AMD Features=0xc0480800SYSCALL,MP,MMX+,3DNow!+,3DNow! real memory = 2080309248 (1983 MB) avail memory = 2025955328 (1932 MB) ACPI APIC Table: HP-CPC AWRDACPI ioapic0 Version 0.3 irqs 0-23 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: HP-CPC AWRDACPI on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of 0, a (3) failed acpi0: reservation of 10, 7bef (3) failed Timecounter ACPI-fast frequency 3579545 Hz quality 1000 acpi_timer0: 24-bit timer at 3.579545MHz port 0x4008-0x400b on acpi0 cpu0: ACPI CPU on acpi0 acpi_button0: Power Button on acpi0 pcib0: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0 pci0: ACPI PCI bus on pcib0 agp0: VIA 8235/8237 (Apollo KM400/KM400A) host to PCI bridge on hostb0 agp0: aperture size is 64M pcib1: PCI-PCI bridge at device 1.0 on pci0 pci1: PCI bus on pcib1 vgapci0: VGA-compatible display mem 0xe400-0xe7ff,0xe800-0xe8ff irq 16 at device 0.0 on pci1 fxp0: Intel 82557 Pro/100 Ethernet port 0x9000-0x901f mem 0xeb10-0xeb100fff,0xeb00-0xeb0f irq 16 at device 8.0 on pci0 miibus0: MII bus on fxp0 nsphy0: DP83840 10/100 media interface PHY 1 on miibus0 nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX
IPFW2 script with natd and loadsharing
I am trying to have both natd (divert) and loadsharing (pipe/queue) in the same IPFW2 firewall script. It works partly. That is, something is wrong because, pipe-bandwidth does not at all match the measured and by using the log-facility I found that the following package enter the script at rule 11: TCP 207.46.211.119:80 192.168.12.150:1574 out via em0 but it looks like i had just been translated by rule number 400 The NIC with IP 192.168.10.248 is connected to WAN and the NIC with IP 192.168.12.10 is connected to LAN Here it my script: -- # Firewall script (Kernel compilation: default-rule was set to allow) ipfw -f -q flush ipfw -q add 6 allow all from any to any # Log-facility (for debuging) ipfw add 11 skipto 12 log all from any to any // Start ipfw pipe 1 config bw 80KByte/s # upload limit ipfw pipe 2 config bw 800KByte/s # download limit # Package going in the download-direction are translated by NATD # to get the destination .12-subnet IP address # (change destination ip address) ipfw add 100 divert natd ip from any to 192.168.10.248 // Download ipfw add 200 queue 1 ip from 192.168.12.0/24 to not 192.168.12.0/24 // Upload ipfw queue 1 config weight 10 pipe 1 mask src-ip 0x00ff ipfw add 300 queue 2 ip from any to 192.168.12.0/24 // Download ipfw queue 2 config weight 10 pipe 2 mask dst-ip 0x00ff # Package going in the upload-direction are translated by NATD # to get the source IP address of the WAN NIC (and the port number is also changed) ipfw add 400 divert natd ip from 192.168.12.0/24 to any // Upload -- What is wrong? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW + NATD FORWARDING
mr. phreak [EMAIL PROTECTED] writes: Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of people have and I've googled my ass off. Still I can't get it right. I'm trying to forward port 1213 in/out for dc++ usage. this is my setup: __WAN router (192.168.1.1) | | (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) ) | |__ LAN (10.10.10.0/24) I use stateful rules and I'd like to forward port 1213 both ways using natd. I know NATD should take care of this as long as i allow port 1213 in/out from the firewall. I've tried this at almost every position in the ipfw.rules and now i ask where i should put it?? i.e it's not there right now. I've tried: $cmd [num] allow all from any to any 1213 (at various positions in ipfw.rules) still doesn't work. $cmd [num] divert natd all from any to any 1213. Can someone help me? Your firewall configuration is rather unconventional, but the basic idea makes sense. What isn't clear is how you want to use this dc++ program within your infrastructure. Because you are using dynamic rules, I assume that you want the connections to always originate inside your network. If that is the case, you shouldn't need any special configuration to natd (because every connection will be learned from the initial packet). If that's not the case, you will need to pick one internal machine to receive the connections coming in from outside. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW + NATD FORWARDING
Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of people have and I've googled my ass off. Still I can't get it right. I'm trying to forward port 1213 in/out for dc++ usage. this is my setup: __WAN router (192.168.1.1) | | (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) ) | |__ LAN (10.10.10.0/24) I use stateful rules and I'd like to forward port 1213 both ways using natd. I know NATD should take care of this as long as i allow port 1213 in/out from the firewall. I've tried this at almost every position in the ipfw.rules and now i ask where i should put it?? i.e it's not there right now. I've tried: $cmd [num] allow all from any to any 1213 (at various positions in ipfw.rules) still doesn't work. $cmd [num] divert natd all from any to any 1213. Can someone help me? J Here is my files: my natd.conf: use_sockets yes same_ports yes dynamic yes redirect_port tcp 10.10.10.2:1213 1213 redirect_port udp 10.10.10.2:1213 1213 ipfw.rules: ### start ipfw rules # ## ipfw -q -f flush # Delete all # INIT # oif=ath0 # out NIC cmd=ipfw -q add # quiet skip=skipto 4000 # skipto NATD. # BEGIN RULES # # # LAN NO RESTRICTIONS ### # $cmd 00300 allow all from any to any via rl0 # LOOPBACK NO RESTRICTIONS ## # $cmd 00400 allow all from any to any via lo0 # NATD IN? THEN TRANSLATE ### # $cmd 00450 divert natd ip from any to any in via $oif # CHECK-STATE ### # $cmd 00500 check-state ### ( OUTBOUND ) ### # DNS ## $cmd 00600 $skip tcp from any to 195.67.199.39 53 out via $oif setup keep-state $cmd 00610 $skip udp from any to 195.67.199.39 53 out via $oif keep-state # DHCP # $cmd 00700 $skip udp from any to any 67 out via $oif keep-state # HTTP # $cmd 00800 $skip tcp from any to any 80 out via $oif setup keep-state # HTTPS $cmd 00810 $skip tcp from any to any 443 out via $oif setup keep-state # POP SMTP ### $cmd 00900 $skip tcp from any to any 25 out via $oif setup keep-state $cmd 00910 $skip tcp from any to any 110 out via $oif setup keep-state # FREEBSD CVS ## $cmd 01000 $skip tcp from me to any out via $oif setup keep-state uid root # ALLOW PING OUT ### $cmd 01100 $skip icmp from any to any out via $oif keep-state # SSH ## $cmd 01200 $skip tcp from any to any 22 out via $oif setup keep-state # WHOIS $cmd 01300 $skip tcp from any to any 43 out via $oif setup keep-state # FTP ## $cmd 01400 $skip tcp from any to any 21 out via $oif setup keep-state # IRC ## $cmd 01500 $skip tcp from any to any 6667 out via $oif setup keep-state $cmd 01510 $skip tcp from any to any out via $oif setup keep-state $cmd 01520 $skip tcp from any to any 5020 out via $oif setup keep-state # SHOUTCAST $cmd 01600 $skip tcp from any to any 9000 out via $oif setup keep-state ### ( INBOUND ) # Deny all inbound from non-routable ### $cmd 02000 deny all from 192.168.0.0/16 to any in via $oif $cmd 02010 deny all from 172.16.0.0/12 to any in via $oif $cmd 02020 deny all from 10.0.0.0/8 to any in via $oif $cmd 02030 deny all from 127.0.0.0/8 to any in via $oif $cmd 02040 deny all from 0.0.0.0/8 to any in via $oif $cmd 02050 deny all from 169.254.0.0/16 to any in via $oif $cmd 02060 deny all from 192.0.2.0/24 to any in via $oif $cmd 02070 deny all from 204.152.64.0/23 to any in via $oif $cmd 02080 deny all from 224.0.0.0/3 to any in via $oif # DENY PING INBOUND $cmd 02100 deny icmp from any to any in via $oif # DENY IDENT ### $cmd 02200 deny tcp from any to any 113 in via $oif # DENY NETBIOS # $cmd 02300 deny tcp from any to any 137 in via $oif $cmd 02310 deny tcp from any to any 138 in via $oif $cmd 02320 deny tcp from any to any 139 in via $oif $cmd 02330 deny tcp from any to any 81 in via $oif # DHCP # $cmd 02400 allow udp from any to 192.168.1.1 68 in via $oif keep-state # HTTP # $cmd 02500 allow tcp from any to me 80 in via $oif setup limit src-addr 2 # HTTPS $cmd 02600 allow
Re: natd / ipfw services on internal interface (Ivan Voras)
Joe wrote: I have a question about natd/ and ipfw. I am running natd on my external interface and I have some services on my internal interface. The services seem to be getting their ip addresses nat'd and some of them work and some of them dont. Any idea how to prevent things from going into natd? You should specify more information about your setup, but generally you should be able to just insert a rule like ipfw add xxx allow ip from mynet/mask to mynet/mask, where xxx is the rule-number BEFORE your natd redirection rule-number and mynet/mask describes your internal network. I think I figured it out after a lot of searching. It turns out that when I installed it I accidentally enabled USE_SOCKETS on a non-jailed dhcp server. The only information I found was a post or bug that said if you enable USE_SOCKETS on a non jailed server, you could have unexpected results. The actual results are that your network traffic will be screwed up. Joe - Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd / ipfw services on internal interface
I figured out what the problem was. I had compiled my dhcp server with USE_SOCKETS and am NOT running in a jail. After a lot of searching the bug reports I came across an old bug that said that USE_SOCKETS was added for jailed dhcp servers, because they do not have access to bpf. It also said that compiling USE_SOCKETS into a non jailed dhcp server will have unpredictable results. I found out that the server will behave badly like it is being sent through nat out our the wrong port. gt; You should specify more information about your setup, but generally you gt; should be able to just insert a rule like quot;ipfw add xxx allow ip from gt; mynet/mask to mynet/maskquot;, where quot;xxxquot; is the rule-number BEFORE your gt; natd redirection rule-number and mynet/mask describes your internal network. Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd / ipfw services on internal interface
Joe wrote: I have a question about natd/ and ipfw. I am running natd on my external interface and I have some services on my internal interface. The services seem to be getting their ip addresses nat'd and some of them work and some of them dont. Any idea how to prevent things from going into natd? You should specify more information about your setup, but generally you should be able to just insert a rule like ipfw add xxx allow ip from mynet/mask to mynet/mask, where xxx is the rule-number BEFORE your natd redirection rule-number and mynet/mask describes your internal network. signature.asc Description: OpenPGP digital signature
natd / ipfw services on internal interface
I have a question about natd/ and ipfw. I am running natd on my external interface and I have some services on my internal interface. The services seem to be getting their ip addresses nat'd and some of them work and some of them dont. Any idea how to prevent things from going into natd? Joe - Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Natd statistics
Hello everyone :) I'm trying to get some natd stats such as number of active connections List of active connections and originating IP Destination ports Destination IPs... I would grab those informations from 5 to 5 minutes or so... Even better would be to be able to grab those through snmp... Thanks for any help you could provide :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd and jails for multipel IP addresses
I'm trying to add a second IP address to an existing jail
using natd and I must be missing something.
Setup:
HOST_IP The host, attached to fxp0
JAIL_IP The existing, working jail
2ND_IP The IP address I'm trying to natd to the jail
I've got ipfw rules to catch traffic to/from the new IP and nothing
blocking them:
00300 divert 8668 ip from any to 2ND_IP via fxp0
00310 divert 8668 ip from 2ND_IP to any via fxp0
natd is running with:
/sbin/natd -log -verbose -redirect_address JAIL_IP 2ND_IP -alias_address
JAIL_IP
But, natd seems to be translating the source, not the dest IP:
% ping 2ND_IP
yields:
Out {default}[ICMP] [ICMP] HOST_IP - 2ND_IP 8(0) aliased to
[ICMP] JAIL_IP - 2ND_IP 8(0)
Whereas, I would expect this to do:
HOST_IP - 2ND_IP
translated to
HOST_IP - JAIL_IP
and the reverse.
WTH am I missing here?
/\/\ \/\/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Natd is not working as expected
Ross Penner [EMAIL PROTECTED] writes: I've configured my freebsd computer to be the gateway for my home network using the guidelines in the handbook. All the required kernel options are enabled and the entries in /etc/rc.conf have been added. I'm unsure what the problem could be and I'm hoping somebody can give me some advice on where to look to diagnose this issue. the bind9 server is functioning correctly as I'm able to resolve IP address, but no packets seem to be getting through. There isn't enough information here to work with. Can you give more detail on what you did, and what the results were? I think every sentence could use some expansion. You may find it helpful to refer to the How to get the best results from freebsd-questions article, now part of the official FreeBSD documentation (and regularly posted to this list by its author). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Natd is not working as expected
Hello Ross, FreeBSD as a gateway is very easy and simple to setup, but a very small mistake could stop your box from acting as a gateway, 1) Please send the follow : the output of #ifconfg -a 2) output of #uname -a 3) copy of rc.conf file 4) Whats the lines you have changed in your kernel ? you wrote no packets seem to be getting through do you mean your freebsd having an Internet but not giving clients and not acting as a gateway? Marwan Sultan. Ross Penner [EMAIL PROTECTED] writes: I've configured my freebsd computer to be the gateway for my home network using the guidelines in the handbook. All the required kernel options are enabled and the entries in /etc/rc.conf have been added. I'm unsure what the problem could be and I'm hoping somebody can give me some advice on where to look to diagnose this issue. the bind9 server is functioning correctly as I'm able to resolve IP address, but no packets seem to be getting through. _ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Natd is not working as expected
I've configured my freebsd computer to be the gateway for my home network using the guidelines in the handbook. All the required kernel options are enabled and the entries in /etc/rc.conf have been added. I'm unsure what the problem could be and I'm hoping somebody can give me some advice on where to look to diagnose this issue. the bind9 server is functioning correctly as I'm able to resolve IP address, but no packets seem to be getting through. Thanks ahead of time for any help you can give, Ross Penner ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Natd problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I have strange situation on one my server: Before restart natd #df -hi /dev/ad0s1d5.2G4.3G433M91% 170252 489202 26% /var But #du -sh /var 1.3G/var lsof shows: natd 310 root 4w VREG 4,17 2946973785 244973 /var (/dev/ad0s1d) After restart natd I have: /dev/ad0s1d4.8G1.3G3.2G29% 170167 489287 26% /var #du -sh /var 1.3G/var Any idea why this happen? Uptime 159 days. Regards Arek - -- Arek Czereszewski UNIX is like a wigwam: no windows, no gates, apache inside. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFd84R4DZFgJgZVlkRAjFrAJ4t3NMpUZHyTYG/B6ThVaKupanw+wCfU0j+ iZU+MiXbhQOiBEkLngivyjI= =w8ty -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port redirection with natd and ipfw
[Fratiman Vladut] This is because u try to access an ip that have same ip like your gateway, but from internal lan, so packets are sends to gateway but cannot be redirected back to the http server according with redirect rules. To resolve this situation, configure a simple dns server on your gateway, and make a zone with your domain pointed to the internal ip. Then configure the computers clients to ask your dns server. This is easily done via dhcp. Your dns server need to be configured to forward request's for unknow domains to the autoritarive public dns servers. -- Best regards, Fratiman [Russell Wood] I had a similar setup once and used Split DNS with BIND. So, if you requested example.com on 192.168.0.0/24 then you'd get the internal IP, otherwise you got the external IP. Regards, Russell Wood Thanks guys, But Split DNS does not work in my case. Because I have different services on different machines, and the dns will map one name (and all ports associated to it) to one machine. Is there any solution that will work without using split dns? Thanks, -- Nilton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port redirection with natd and ipfw
On Sat, Nov 18, 2006 at 09:12:30PM -0200, Nilton Volpato wrote: Hi, I'm using a computer with FreeBSD as a gateway and NAT for a private LAN. Let's say the gateway has external.com as external address, and 192.168.0.1 as internal address, so that the LAN is 192.168.0.0/24. I'm doing a number of port redirects in the gateway, for svn, http, https, ssh, etc using natd. However, these port redirects do not work from inside the LAN. For instance, if I point my browser to http://external.com and I'm in the LAN, then it will not work. I can't use the internal address of the web server because none of the links will work on the web page. In summary, I want that my port redirections work also when I try to connect to the gateway's external address from inside the LAN. I'm using a minimal ipfw configuration to try to solve this. This is the default configuration. 00050 divert 8668 ip4 from any to any via vr0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any I tried to add: 00060 divert 8668 ip4 from 192.168.0.0/24 to external.com expecting that it would send the packets from LAN to natd, which would apply the port redirections. But it did not work. How can I solve this? Thanks, -- Nilton What I do in these circumstances is put a line in /etc/hosts on the machines on the LAN eg: 192.168.0.1 external.com If you've got a standard host.conf then it gets picked up before bind. Whilst it means you don't connect to the external interface of external.com it has the same effect and you can browse your site etc. No fancy firewall rules required either. HTH. -- Frank echo f r a n k @ e s p e r a n c e - l i n u x . c o . u k | sed 's/ //g' ---PGP keyID: 0x10BD6F4B--- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
port redirection with natd and ipfw
Hi, I'm using a computer with FreeBSD as a gateway and NAT for a private LAN. Let's say the gateway has external.com as external address, and 192.168.0.1 as internal address, so that the LAN is 192.168.0.0/24. I'm doing a number of port redirects in the gateway, for svn, http, https, ssh, etc using natd. However, these port redirects do not work from inside the LAN. For instance, if I point my browser to http://external.com and I'm in the LAN, then it will not work. I can't use the internal address of the web server because none of the links will work on the web page. In summary, I want that my port redirections work also when I try to connect to the gateway's external address from inside the LAN. I'm using a minimal ipfw configuration to try to solve this. This is the default configuration. 00050 divert 8668 ip4 from any to any via vr0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any I tried to add: 00060 divert 8668 ip4 from 192.168.0.0/24 to external.com expecting that it would send the packets from LAN to natd, which would apply the port redirections. But it did not work. How can I solve this? Thanks, -- Nilton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Port redirection troubles with natd/ipwf
Hello, I have set myself up a nice FreeBSD router, but im having trouble getting my firewall and NAT configured. I have a basic setup at the moment that is working well, using IPFW for a firewall and also running natd because i have a few computers here on my LAN that want Internet access. However i cannot seem to work out how to get port redirection through NAT working correctly. Currently i have it setup (as i hope my configs bellow show) that all incoming traffic from the web is blocked, unless it was initiated by a host on the LAN; then the check-state and keep-state rules allow the traffic through for that session. My problem comes when i want to so say, its ok for traffic to pass through this port to a target on the LAN. As far as i can make out that is done with the redirect_port setting in natd.conf -- my conf has ports 113 and 3002 redirected to 10.0.0.11. 113 for IDENT, and 3002 as a custom port for a windows ftp server. Take an IDENT request for example, i can see the traffic coming in on port 113, getting nat'd to the correct LAN ip, and even mIRC registering the IDENT request. But it never gets back out. The same with FTP on 3002, if someone attempts to connect they get a message in their client that the request timed out, but i can see a login attempt in the server logs. I have a feeling there is a simple answer to this, but im stuck. Any help is appreciated. My config is bellow, i can provide logs of the behavior if a fix is not obvious. Thank you. ifconfig re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x1 ether 00:14:bf:59:be:84 media: Ethernet autoselect (none) status: no carrier re1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x2 ether 00:14:bf:59:be:8b media: Ethernet autoselect (100baseTX full-duplex) status: active re2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x3 ether 00:14:bf:59:c1:26 media: Ethernet autoselect (100baseTX full-duplex) status: active vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::211:*** prefixlen 64 scopeid 0x4 inet ***.***.***.*** netmask 0xfc00 broadcast 255.255.255.255 ether 00:11:d8:a1:22:13 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether ac:de:48:30:8d:de priority 32768 hellotime 2 fwddelay 15 maxage 20 member: re2 flags=7LEARNING,DISCOVER,STP port 3 priority 128 path cost 55 forwarding member: re1 flags=7LEARNING,DISCOVER,STP port 2 priority 128 path cost 55 forwarding member: re0 flags=7LEARNING,DISCOVER,STP port 1 priority 128 path cost 55 disabled cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 10.0.0.11:113 113 redirect_port udp 10.0.0.11:113 113 redirect_port tcp 10.0.0.11:3002 3002 redirect_port udp 10.0.0.11:3002 3002 cat /etc/rc.firewall.test (these rules were made mainly using the NAT stateful ruleset here http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ) #!/bin/sh ## # Default variables ## cmd=ipfw -q add# Rule prefix wan=vr0# Inbound interface (Public WAN) lan=bridge0# Outbound interfaces (Private LAN) nat=skipto 600# Skipto location for outgoing packets that need NAT ks=keep-state# Adds rule to dynamic rules table ## # Ruleset ## ipfw -q -f flush ### # Allowed Loopback and LAN traffic ### $cmd 5 allow all from any to any via $lan $cmd 6 allow all from any to any via lo0 ### # NAT inbound traffic and check all traffic against rules in dynamic rules table ### $cmd 00010 divert natd ip from any to any in via $wan $cmd 00011 check-state ### # Rejected outbound traffic ### ### # Allowed outbound traffic ### # Allow all outbound traffic $cmd 00205 $nat icmp from any to any out via $wan $ks $cmd 00210 $nat tcp from any to any out via $wan setup $ks $cmd 00211 $nat udp from any to any out via $wan $ks ### # Rejected inbound traffic ### # Late arriving packets $cmd 00315 deny all from any to any frag in via $wan # ACK packets that did not match the dynamic rule table $cmd 00320 deny tcp from any to any established in via $wan ### # Allowed inbound traffic ### # ISP's DNS and DHCP $cmd 00404 allow all from ***.***.4.100 to any 53 in via
Re: Port redirection troubles with natd/ipwf
On 10/18/06, Chris [EMAIL PROTECTED] wrote: Hello, I have set myself up a nice FreeBSD router, but im having trouble getting my firewall and NAT configured. I have a basic setup at the moment that is working well, using IPFW for a firewall and also running natd because i have a few computers here on my LAN that want Internet access. However i cannot seem to work out how to get port redirection through NAT working correctly. Currently i have it setup (as i hope my configs bellow show) that all incoming traffic from the web is blocked, unless it was initiated by a host on the LAN; then the check-state and keep-state rules allow the traffic through for that session. My problem comes when i want to so say, its ok for traffic to pass through this port to a target on the LAN. As far as i can make out that is done with the redirect_port setting in natd.conf -- my conf has ports 113 and 3002 redirected to 10.0.0.11. 113 for IDENT, and 3002 as a custom port for a windows ftp server. Take an IDENT request for example, i can see the traffic coming in on port 113, getting nat'd to the correct LAN ip, and even mIRC registering the IDENT request. But it never gets back out. The same with FTP on 3002, if someone attempts to connect they get a message in their client that the request timed out, but i can see a login attempt in the server logs. I have a feeling there is a simple answer to this, but im stuck. Any help is appreciated. My config is bellow, i can provide logs of the behavior if a fix is not obvious. Thank you. ifconfig re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x1 ether 00:14:bf:59:be:84 media: Ethernet autoselect (none) status: no carrier re1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x2 ether 00:14:bf:59:be:8b media: Ethernet autoselect (100baseTX full-duplex) status: active re2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x3 ether 00:14:bf:59:c1:26 media: Ethernet autoselect (100baseTX full-duplex) status: active vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::211:*** prefixlen 64 scopeid 0x4 inet ***.***.***.*** netmask 0xfc00 broadcast 255.255.255.255 ether 00:11:d8:a1:22:13 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether ac:de:48:30:8d:de priority 32768 hellotime 2 fwddelay 15 maxage 20 member: re2 flags=7LEARNING,DISCOVER,STP port 3 priority 128 path cost 55 forwarding member: re1 flags=7LEARNING,DISCOVER,STP port 2 priority 128 path cost 55 forwarding member: re0 flags=7LEARNING,DISCOVER,STP port 1 priority 128 path cost 55 disabled cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 10.0.0.11:113 113 redirect_port udp 10.0.0.11:113 113 redirect_port tcp 10.0.0.11:3002 3002 redirect_port udp 10.0.0.11:3002 3002 cat /etc/rc.firewall.test (these rules were made mainly using the NAT stateful ruleset here http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ) #!/bin/sh ## # Default variables ## cmd=ipfw -q add# Rule prefix wan=vr0# Inbound interface (Public WAN) lan=bridge0# Outbound interfaces (Private LAN) nat=skipto 600# Skipto location for outgoing packets that need NAT ks=keep-state# Adds rule to dynamic rules table ## # Ruleset ## ipfw -q -f flush ### # Allowed Loopback and LAN traffic ### $cmd 5 allow all from any to any via $lan $cmd 6 allow all from any to any via lo0 ### # NAT inbound traffic and check all traffic against rules in dynamic rules table ### $cmd 00010 divert natd ip from any to any in via $wan $cmd 00011 check-state ### # Rejected outbound traffic ### ### # Allowed outbound traffic ### # Allow all outbound traffic $cmd 00205 $nat icmp from any to any out via $wan $ks $cmd 00210 $nat tcp from any to any out via $wan setup $ks $cmd 00211 $nat udp from any to any out via $wan $ks ### # Rejected inbound traffic ### # Late arriving packets $cmd 00315 deny all from any to any frag in via $wan # ACK packets that did not match the dynamic rule table $cmd 00320 deny tcp from any to any established in via $wan ### # Allowed inbound traffic
Re: IPFW + NATD rules
On Sun, Aug 27, 2006 at 01:04:54PM +0500, ?? ?? wrote: I'm a junior in FreeBSD, and I faced with problem. You should know that others have mailers that are thread enabled. This means that when you compose a new mail, but you that the reply sort cut others may not read this, because it end up in the list. I redirected the mail to questions@ becuase this is not related to the stable development brance. I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert incoming requests to my web-server, placed in DeMilitarized Zone (DMZ). To do this I wrote down settings in /etc/rc.conf as shown above: natd_flags=-redirect_port tcp 80 192.168.1.234 80 natd_flags=-redirect_poort tcp 443 192.168.1.234 443 You proberbly can not have two lines. I think, that all packets incoming from Internet will be diverted from the External interface via DMZ interface to my We-server. Is it right? If not, why not, and what the way to make it working? Yes, but you made some mistakes: 1. You have two lines, where only one is allowed. 2. The file format is wrong: should be tcp forward_ip:port port 3. You made a typo 4. Did you setup ipfw? I've done this with a seperate config file. firewall_enable=YES firewall_type=/etc/firewall.conf natd_enable=YES natd_flags=-f /etc/natd.conf natd_interface=fxp0 /etc/firewall.conf contains: add divert 8668 ip from any to any (note: src_ip and dst_ip changes here, so keep this in mind if you add rules) add allow ip from any to any /etc/natd.conf contains: redirect_port tcp ip_to_goto:port local_port Did you setup ipfw and directed packes to natd? You also need to setup i -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Please Help, My natd/firewall Not Work :(
Hi again, I have problem with my network, I use 2 Network Cards in my FreeBSD computer and 1 Network Cards in WinXP Prof sp2, one of the network card - rl0 is my real static ip address with DHCP, 2 network card is - rl1 is my local gateway ip: 192.168.0.1, I don't set the gateway for the rl1, just ip: 192.168.0.1, DNS from the ISP, mask: 255.255.255.0,.. I precompiled my kernel with options FIREWALL, IPDIVER, IPFIREWALL_DEFAULT_TO_ACCEPT, IPFIREWALL_VERBOSE. - my /etc/rc.conf is: - gateway_enable=YES firewall_enable=YES firewall_script=/etc/firewall.sh natd_enable=YES natd_interface=rl1 natd_flags= sendmail_enable=NONE hostname=root.extremebg.biz ifconfig_rl0=DHCP linux_enable=YES sshd_enable=YES usbd_enable=YES inetd_enable=NO ifconfig_rl1=inet 192.168.0.1 netmask 255.255.255.0 hostname=root.extremebg.biz - my /etc/firewall.sh is: - #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw add 1000 pass all from any to any via lo0 /sbin/ipfw add 1100 deny all from any to 127.0.0.0/8 /sbin/ipfw add 1200 deny icmp from any to any frag /sbin/ipfw add 1300 deny icmp from any to any in icmptype 5,9,13,14,15,16,17 /sbin/ipfw add 1400 deny tcp from any to any not established tcpflags fin /sbin/ipfw add 1500 deny tcp from any to any tcpflags fin,syn,rst,psh,ack,urg /sbin/ipfw add 1600 deny tcp from any to any tcpflags !fin,!syn,!rst,!psh,!ack,!urg /sbin/ipfw add 4000 deny udp from any 137-139 to any via rl0 /sbin/ipfw add 4100 deny udp from any to any 137-139 via rl0 /sbin/ipfw add 5000 divert natd ip from 192.168.0.0:255.255.255.128 to any out xmit rl1 /sbin/ipfw add 5100 divert natd ip from any to 192.168.0.1 /sbin/ipfw add 5500 deny all from 192.168.0.0/24 to not 192.168.0.0/2480,21,443 /sbin/ipfw add 600 allow all from any to any - my ifconfig is: - rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2c0:26ff:fe5e:72a4%rl0 prefixlen 64 scopeid 0x1 inet 85.239.153.142 netmask 0xff80 broadcast 85.239.153.255 ether 00:c0:26:5e:72:a4 media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2e0:4cff:fe3c:f2f%rl1 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff80 broadcast 192.168.0.127 ether 00:e0:4c:3c:0f:2f media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 - my /etc/sysctl.conf is: - net.inet.ip.forwarding=1 - My network ISP gateway is: 85.239.153.129, submask: 255.255.255.128, my static real ip is: 85.239.153.142, my ISP DNS server is: 85.239.155.1. - my pc start natd successfully, and other services .. -- my WinXP network configuration is: DNS 85.239.155.1, gateway: 192.168.0.1, mask: 255.255.255.0, ip addess: 192.168.0.2. I connected my computers in LAN, but not going traffic from my freebsd to the windows :( I don't know how to route traffic from FreeBSD to the windows :( please help ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Please Help, My natd/firewall Not Work :(
ExTaZyTi wrote: Hi again, I have problem with my network, I use 2 Network Cards in my FreeBSD computer and 1 Network Cards in WinXP Prof sp2, one of the network card - rl0 is my real static ip address with DHCP, 2 network card is - rl1 is my local gateway ip: 192.168.0.1, I don't set the gateway for the rl1, just ip: 192.168.0.1, DNS from the ISP, mask: 255.255.255.0,.. I precompiled my kernel with options FIREWALL, IPDIVER, IPFIREWALL_DEFAULT_TO_ACCEPT, IPFIREWALL_VERBOSE. - my /etc/rc.conf is: - gateway_enable=YES firewall_enable=YES firewall_script=/etc/firewall.sh natd_enable=YES natd_interface=rl1 natd_flags= sendmail_enable=NONE hostname=root.extremebg.biz ifconfig_rl0=DHCP linux_enable=YES sshd_enable=YES usbd_enable=YES inetd_enable=NO ifconfig_rl1=inet 192.168.0.1 netmask 255.255.255.0 hostname=root.extremebg.biz - my /etc/firewall.sh is: - #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw add 1000 pass all from any to any via lo0 /sbin/ipfw add 1100 deny all from any to 127.0.0.0/8 /sbin/ipfw add 1200 deny icmp from any to any frag /sbin/ipfw add 1300 deny icmp from any to any in icmptype 5,9,13,14,15,16,17 /sbin/ipfw add 1400 deny tcp from any to any not established tcpflags fin /sbin/ipfw add 1500 deny tcp from any to any tcpflags fin,syn,rst,psh,ack,urg /sbin/ipfw add 1600 deny tcp from any to any tcpflags !fin,!syn,!rst,!psh,!ack,!urg /sbin/ipfw add 4000 deny udp from any 137-139 to any via rl0 /sbin/ipfw add 4100 deny udp from any to any 137-139 via rl0 /sbin/ipfw add 5000 divert natd ip from 192.168.0.0:255.255.255.128 to any out xmit rl1 /sbin/ipfw add 5100 divert natd ip from any to 192.168.0.1 you should have a look at http://www.freebsddiary.org/ipfw.php - especially the natd divert part (your divert uses the wrong interface imho) /sbin/ipfw add 5500 deny all from 192.168.0.0/24 to not 192.168.0.0/2480,21,443 /sbin/ipfw add 600 allow all from any to any i guess the last rule was just for test purpose, if not - first rule that matches takes it - which means rule number 600 would kill your whole firewall - my ifconfig is: - rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2c0:26ff:fe5e:72a4%rl0 prefixlen 64 scopeid 0x1 inet 85.239.153.142 netmask 0xff80 broadcast 85.239.153.255 ether 00:c0:26:5e:72:a4 media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2e0:4cff:fe3c:f2f%rl1 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff80 broadcast 192.168.0.127 ether 00:e0:4c:3c:0f:2f media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 - my /etc/sysctl.conf is: - net.inet.ip.forwarding=1 - My network ISP gateway is: 85.239.153.129, submask: 255.255.255.128, my static real ip is: 85.239.153.142, my ISP DNS server is: 85.239.155.1. - my pc start natd successfully, and other services .. -- my WinXP network configuration is: DNS 85.239.155.1, gateway: 192.168.0.1, mask: 255.255.255.0, ip addess: 192.168.0.2. I connected my computers in LAN, but not going traffic from my freebsd to the windows :( I don't know how to route traffic from FreeBSD to the windows :( please help -- Armin Pirkovitsch [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Questions inregards to NATD
Hello, I apologize for taking your time, howevr I was unable to find an answer to my question inside the online documentation. I have installed FreeBSD 5.4 on P1 Super Socket 7 system (533 mhz.) I have installed 2 Adaptec Ana-6944 cards, these cards have 4 ports on each. I have a seperate D Link card, that is supported. My question is, all the online documentation has indicated the usage for the natd daemon is used for Network Address Translation, however it doesnt indicate weather I can use all 8 ports ( 4 from each card) as LAN ports, with the DLink's connection as the WAN port. Is this possible? Thanks in advance for any assistance you can offer me. Sincerely, Tyler Brincheski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Questions inregards to NATD
Tyler Brincheski [EMAIL PROTECTED] wrote: I have installed FreeBSD 5.4 on P1 Super Socket 7 system (533 mhz.) I have installed 2 Adaptec Ana-6944 cards, these cards have 4 ports on each. I have a seperate D Link card, that is supported. My question is, all the online documentation has indicated the usage for the natd daemon is used for Network Address Translation, however it doesnt indicate weather I can use all 8 ports ( 4 from each card) as LAN ports, with the DLink's connection as the WAN port. Is this possible? If you can configure all 8 ports with ifconfig, you shouldn't have any problems using them for NAT. If you want to use all internal ports in the same network, I suggest you only give on of them an IP address, configure it for NAT and then use if_bridge to connect it with the other ones. Otherwise you could run into routing problems. Note that you don't have to use natd for NAT, you can also use PF and safe some cpu time. If your system has other work to do and you have lots of connections, it could make a difference. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Updating system's natd config from natd.conf
Hi there, What is the procedure to make active changes made to /etc/natd.conf? Sometimes, restarting the natd process with an HUP drops my connection. Other times the restart didn't seem to make any difference. The only way I've ever updated natd rules was to restart the server and never was able to find anything relating to this topic online. Any other options? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating system's natd config from natd.conf
On Jul 14, 2006, at 4:00 PM, Darek M wrote: What is the procedure to make active changes made to /etc/natd.conf? Sometimes, restarting the natd process with an HUP drops my connection. Other times the restart didn't seem to make any difference. The only way I've ever updated natd rules was to restart the server and never was able to find anything relating to this topic online. Basicly, you need to kill and restart natd right now, and doing so will lose track of any active state for currently-open connections. Natd dies when it gets a SIGHUP, but I've always wanted to extend its signal handler to trap SIGHUP and re-read the config file. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
'unregistered_only' in natd does not work?
Summary: NATD translates source addresses even though it should not because
unregistered_only is set and the IPs do not belong to RFC 1918 (like
192.168)
Hi List,
I have a very strange problem in my
FreeBSD bigb3 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue Jun 6
I am using the ftpd with inetd.
I have specified via sysctl IP_PORTRANGE_DEFAULT and IP_PORTRANGE_HIGH
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
and I have opened my ipfw firewall for these ranges.
In natd.conf I am using:
same_ports yes
unregistered_only yes
use_sockets yes
log_denied yes
interface vr0
and I am using ipfw with
$fwcmd add 15000 divert natd all from any to any via $oif
* T H E P R O B L E M **
I have trouble making a passive ftp connection to work, because
every time natd changed source port even though it should not. Sometimes it
changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to
something completely irrelevant like 3
The verbose log of natd shows this:
Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
[TCP] 193.92.??:37962 - 193.92.?:3866
Thus it shows that the outside IP and port (55211) in the source field was
changed to another source port (37962), even though this is not required.
My IPFW denies ports lowers than 49152 and thus it drops this and logs
that this packets was denied.
Can you help me please of how to either
1) instruct natd NOT to translate ports if it is not required
(unregistered_only seems that it does not work)
or,
2) instruct natd to translate ports which belong to either
IP_PORTRANGE_DEFAULT or another defined portrange?
Thank you very very much in advance,
Best Regards,
BB
p.s. After searching the freebsd bugs database I found
Problem Report bin/77089 : /sbin/natd: natd ignores -u with passive FTP
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/77089, which seems similar.
Any clues except re-arranging the firewall rules, as the author of the
previous post suggests?
---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'unregistered_only' in natd does not work?
BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every
time natd changed source port even though it should not. Sometimes it
changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to
something completely irrelevant like 3
The verbose log of natd shows this:
Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
[TCP] 193.92.??:37962 - 193.92.?:3866
You might try using the punch_fw keyword or flag to natd to try and control
the portrange used for ephermeral FTP IRC data channels, BTW...but if your
problem also affects passive-mode FTP, something else is going on.
What happens if you change your IPFW divert statement to only match the
RFC-1918 unroutable addresses which you're using, and not send internal
routable traffic to NATD...?
--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'unregistered_only' in natd does not work?
On Fri, 7 Jul 2006, Chuck Swiger wrote:
BigBrother-{BigB3} wrote:
[ ... ]
I have trouble making a passive ftp connection to work, because every time
natd changed source port even though it should not. Sometimes it changes
within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something
completely irrelevant like 3
The verbose log of natd shows this:
Out {default} [TCP] 193.92.?:55211 - 193.92.:3866 aliased to
[TCP] 193.92.??:37962 - 193.92.?:3866
You might try using the punch_fw keyword or flag to natd to try and control
the portrange used for ephermeral FTP IRC data channels, BTW...but if your
problem also affects passive-mode FTP, something else is going on.
What happens if you change your IPFW divert statement to only match the
RFC-1918 unroutable addresses which you're using, and not send internal
routable traffic to NATD...?
--
-Chuck
Dear Chuck,
Thank you for your answer.
1) I have already tried punch_fw keyword with
different settings but nothing happened. I mean that no dynamic rule was
added. I think that punch_fw works when you are on the box and try to
connect to another ftp server (thus, when you are client). I do not think
that punch_fw works when this box is the server. Passive mode from the box
itself is ok...works without any problem.
2) I am not sure how to change the divert command because take notice that
divert should be applied to both incoming and both outgoing packets. I
think that messing with divert may cause some strange problems...
I followed your suggestion and It seems that the following works (not
tested thoroughly though)
$fwcmd add 14999 skipto 15001 all from $oip to any via $oif
$fwcmd add 15000 divert natd all from any to any via $oif
(do you have any feeling for possible faults on the skipto line?)
I will test but I think it should be noted that this is a but in natd
code (I mean the 'unregistered_only').
Thanks for the support!
BB
---
Dixi et animan levavi
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd not starting on boot-up SOLVED
I just cvsup'ed the source and rebuilt world, and now natd starts on boot-up just fine. I don't have any idea what changed, although I did notice that when I ran mergemaster there was new text in /etc/defaults/rc.conf, which I installed without examining too closely. The thing is, I looked it over before and the entries I thought were relevant all looked* OK to me. I didn't make any change in my /etc/rc.conf file. Anyway, that's a great relief, because we have occasional power outages here and it's nice to know things will work even if I don't happen to be in the office. -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
At 07:21 AM 6/9/2006 -0800, you wrote: On 6/6/2006 21:13, Roger Merritt seems to have typed: Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. Try adding: natd_flags=-dynamic to rc.conf Well, I tried it but it didn't help. I'm starting to think I just need to cvsup the latest changes and make world. Maybe that'll fix it. -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
At 02:13 PM 6/9/2006 +1000, you wrote: I've been doing a little hunting around to figure out how /etc/rc.d/natd's called in the first place and it seems this is done by the /etc/rc.d/ipfw script, which in turn is run when firewall_enable is set in /etc/rc.conf. /etc/rc.d/natd's not run directly by /etc/rc due to its having the nostart KEYWORD. Is IPFW definitely launched correctly on the system? Definitely. After I reboot I entered 'ipfw show' and it displayed the ruleset it's using. The first rule (actually number 0050) is 'divert 8668 ip4 from any to any via ed1'. Hmmm. Only 'ip4'? I have ip6 enabled, too, although as far as I know I only deal with ip4. Something new to research. Otherwise, perhaps it's worthwhile chucking a debug echo or two about the place (for instance, in /etc/rc.d/natd and / or /etc/rc.d/ipfw) and rebooting. Something like this should do the trick, I believe: echo echo echo echo '/etc/rc.d/natd' echo echo echo (without the outer quotes). -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 Well, I'll give it a try. Thanks for the suggestion. -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
On 6/6/2006 21:13, Roger Merritt seems to have typed: Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. Try adding: natd_flags=-dynamic to rc.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
On 6/6/2006 21:13, Roger Merritt seems to have typed: Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. Try adding: natd_flags=-dynamic to rc.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
On Wed, 07 Jun 2006 18:01:43 +0700 Roger Merritt [EMAIL PROTECTED] wrote: At 02:12 AM 6/7/2006 -0700, you wrote: On 6/7/06, Nick Withers [EMAIL PROTECTED] wrote: On Wed, 07 Jun 2006 15:23:18 +0700 Roger Merritt [EMAIL PROTECTED] wrote: At 04:35 PM 6/7/2006 +1000, you wrote: On Wed, 07 Jun 2006 12:13:29 +0700 Roger Merritt [EMAIL PROTECTED] wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES That looks alright to me... What can I do to get some indication of where the problem is? Are there any error messages relating to IPFW / natd on boot? No, or at least none I could see. That's why I've asked for help. What version of FreeBSD are you running? 6.1-STABLE Perhaps there's something wrong in the branch at present...? Doubtful, I guess. What's the command you're running that _does_ launch natd successfully? /sbin/natd -n ed1. I hadn't thought about /etc/rc.d/natd start until someone suggested it, but that works too and reads the interface from /etc/rc.conf. What's the output of ls -l /etc/rc.d/natd? [poppy] ~# ls -l /etc/rc.d/natd -r-xr-xr-x 1 root wheel 978 May 31 09:52 /etc/rc.d/natd Hmmm... Well that all seems OK, then. The only other thing I can think of is that the 'router_enable'=YES' line's creating dramas. As I understand it, this'll cause /etc/rc.d/routed to attempt to launch the routing daemon specified by a 'router=...' line, which you don't appear to have. I don't think this'd interfere with natd anyway, but I don't really understand what the hell's going on in /etc/rc.d/routed. Sorry I can't be more helpful! -- I don't run route(daemon) so I don't know about router_enable, but here is what I have in my rc.conf to get natd working: #router stuff natd_program=/sbin/natd natd_enable=YES natd_interface=rl0 natd_flags=-dynamic -f /etc/natd.conf gateway_enable=YES So I use gateway_enable not router_enable. I don't know if this applies to your problem completely, but might be worth a shot. Well, I tried commenting it out and restarting. Everything seems to work without it, but natd still didn't start. I can't remember exactly why I decided it should be in there (I also have 'gateway_enable=YES'), but it must have been something I read when I first started using FreeBSD back eight or ten years ago. Well, I'll leave it commented out for a while and see if other problems show up. I've been doing a little hunting around to figure out how /etc/rc.d/natd's called in the first place and it seems this is done by the /etc/rc.d/ipfw script, which in turn is run when firewall_enable is set in /etc/rc.conf. /etc/rc.d/natd's not run directly by /etc/rc due to its having the nostart KEYWORD. Is IPFW definitely launched correctly on the system? Otherwise, perhaps it's worthwhile chucking a debug echo or two about the place (for instance, in /etc/rc.d/natd and / or /etc/rc.d/ipfw) and rebooting. Something like this should do the trick, I believe: echo echo echo echo '/etc/rc.d/natd' echo echo echo (without the outer quotes). -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
On Wed, 07 Jun 2006 12:13:29 +0700 Roger Merritt [EMAIL PROTECTED] wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES That looks alright to me... What can I do to get some indication of where the problem is? Are there any error messages relating to IPFW / natd on boot? What version of FreeBSD are you running? What's the command you're running that _does_ launch natd successfully? What's the output of ls -l /etc/rc.d/natd? -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
Hello Roger, what happens if you type /etc/rc.d/natd start after boot-up? Björn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
At 08:46 AM 6/7/2006 +0200, you wrote: Hello Roger, what happens if you type /etc/rc.d/natd start after boot-up? The script prints out the string natd, leading space but no newline, and a process is started for natd. -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
At 04:35 PM 6/7/2006 +1000, you wrote: On Wed, 07 Jun 2006 12:13:29 +0700 Roger Merritt [EMAIL PROTECTED] wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES That looks alright to me... What can I do to get some indication of where the problem is? Are there any error messages relating to IPFW / natd on boot? No, or at least none I could see. That's why I've asked for help. What version of FreeBSD are you running? 6.1-STABLE What's the command you're running that _does_ launch natd successfully? /sbin/natd -n ed1. I hadn't thought about /etc/rc.d/natd start until someone suggested it, but that works too and reads the interface from /etc/rc.conf. What's the output of ls -l /etc/rc.d/natd? [poppy] ~# ls -l /etc/rc.d/natd -r-xr-xr-x 1 root wheel 978 May 31 09:52 /etc/rc.d/natd -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
On Wed, 07 Jun 2006 15:23:18 +0700 Roger Merritt [EMAIL PROTECTED] wrote: At 04:35 PM 6/7/2006 +1000, you wrote: On Wed, 07 Jun 2006 12:13:29 +0700 Roger Merritt [EMAIL PROTECTED] wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES That looks alright to me... What can I do to get some indication of where the problem is? Are there any error messages relating to IPFW / natd on boot? No, or at least none I could see. That's why I've asked for help. What version of FreeBSD are you running? 6.1-STABLE Perhaps there's something wrong in the branch at present...? Doubtful, I guess. What's the command you're running that _does_ launch natd successfully? /sbin/natd -n ed1. I hadn't thought about /etc/rc.d/natd start until someone suggested it, but that works too and reads the interface from /etc/rc.conf. What's the output of ls -l /etc/rc.d/natd? [poppy] ~# ls -l /etc/rc.d/natd -r-xr-xr-x 1 root wheel 978 May 31 09:52 /etc/rc.d/natd Hmmm... Well that all seems OK, then. The only other thing I can think of is that the 'router_enable'=YES' line's creating dramas. As I understand it, this'll cause /etc/rc.d/routed to attempt to launch the routing daemon specified by a 'router=...' line, which you don't appear to have. I don't think this'd interfere with natd anyway, but I don't really understand what the hell's going on in /etc/rc.d/routed. Sorry I can't be more helpful! -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
On 6/7/06, Nick Withers [EMAIL PROTECTED] wrote: On Wed, 07 Jun 2006 15:23:18 +0700 Roger Merritt [EMAIL PROTECTED] wrote: At 04:35 PM 6/7/2006 +1000, you wrote: On Wed, 07 Jun 2006 12:13:29 +0700 Roger Merritt [EMAIL PROTECTED] wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES That looks alright to me... What can I do to get some indication of where the problem is? Are there any error messages relating to IPFW / natd on boot? No, or at least none I could see. That's why I've asked for help. What version of FreeBSD are you running? 6.1-STABLE Perhaps there's something wrong in the branch at present...? Doubtful, I guess. What's the command you're running that _does_ launch natd successfully? /sbin/natd -n ed1. I hadn't thought about /etc/rc.d/natd start until someone suggested it, but that works too and reads the interface from /etc/rc.conf. What's the output of ls -l /etc/rc.d/natd? [poppy] ~# ls -l /etc/rc.d/natd -r-xr-xr-x 1 root wheel 978 May 31 09:52 /etc/rc.d/natd Hmmm... Well that all seems OK, then. The only other thing I can think of is that the 'router_enable'=YES' line's creating dramas. As I understand it, this'll cause /etc/rc.d/routed to attempt to launch the routing daemon specified by a 'router=...' line, which you don't appear to have. I don't think this'd interfere with natd anyway, but I don't really understand what the hell's going on in /etc/rc.d/routed. Sorry I can't be more helpful! -- I don't run route(daemon) so I don't know about router_enable, but here is what I have in my rc.conf to get natd working: #router stuff natd_program=/sbin/natd natd_enable=YES natd_interface=rl0 natd_flags=-dynamic -f /etc/natd.conf gateway_enable=YES So I use gateway_enable not router_enable. I don't know if this applies to your problem completely, but might be worth a shot. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
Roger Merritt wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES What can I do to get some indication of where the problem is? Try to comment the line natd_enable=YES and then add a new line at the end of rc.conf: /etc/rc.d/natd start if this doesn't work, try to put natd_flags= in your rc.conf and plesase check your ipfw rule for nat it should be something like this: (with natd_flags=) ipfw -q add divert natd all from any to any via your_public_interface Good luck!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
Roger Merritt wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES What can I do to get some indication of where the problem is? Try to comment the line natd_enable=YES and then add a new line at the end of rc.conf: /etc/rc.d/natd start if this doesn't work, try to put natd_flags= in your rc.conf and plesase check your ipfw rule for nat it should be something like this: (with natd_flags=) ipfw -q add divert natd all from any to any via your_public_interface Good luck!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
At 02:12 AM 6/7/2006 -0700, you wrote: On 6/7/06, Nick Withers [EMAIL PROTECTED] wrote: On Wed, 07 Jun 2006 15:23:18 +0700 Roger Merritt [EMAIL PROTECTED] wrote: At 04:35 PM 6/7/2006 +1000, you wrote: On Wed, 07 Jun 2006 12:13:29 +0700 Roger Merritt [EMAIL PROTECTED] wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES That looks alright to me... What can I do to get some indication of where the problem is? Are there any error messages relating to IPFW / natd on boot? No, or at least none I could see. That's why I've asked for help. What version of FreeBSD are you running? 6.1-STABLE Perhaps there's something wrong in the branch at present...? Doubtful, I guess. What's the command you're running that _does_ launch natd successfully? /sbin/natd -n ed1. I hadn't thought about /etc/rc.d/natd start until someone suggested it, but that works too and reads the interface from /etc/rc.conf. What's the output of ls -l /etc/rc.d/natd? [poppy] ~# ls -l /etc/rc.d/natd -r-xr-xr-x 1 root wheel 978 May 31 09:52 /etc/rc.d/natd Hmmm... Well that all seems OK, then. The only other thing I can think of is that the 'router_enable'=YES' line's creating dramas. As I understand it, this'll cause /etc/rc.d/routed to attempt to launch the routing daemon specified by a 'router=...' line, which you don't appear to have. I don't think this'd interfere with natd anyway, but I don't really understand what the hell's going on in /etc/rc.d/routed. Sorry I can't be more helpful! -- I don't run route(daemon) so I don't know about router_enable, but here is what I have in my rc.conf to get natd working: #router stuff natd_program=/sbin/natd natd_enable=YES natd_interface=rl0 natd_flags=-dynamic -f /etc/natd.conf gateway_enable=YES So I use gateway_enable not router_enable. I don't know if this applies to your problem completely, but might be worth a shot. Well, I tried commenting it out and restarting. Everything seems to work without it, but natd still didn't start. I can't remember exactly why I decided it should be in there (I also have 'gateway_enable=YES'), but it must have been something I read when I first started using FreeBSD back eight or ten years ago. Well, I'll leave it commented out for a while and see if other problems show up. -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: natd not starting on boot-up
put this script into /usr/loca/etc/rc.d/ # cat /usr/local/etc/rc.d/natd.sh #!/bin/sh /sbin/natd -n rl1 Roger Merritt wrote: I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES What can I do to get some indication of where the problem is? Try to comment the line natd_enable=YES and then add a new line at the end of rc.conf: /etc/rc.d/natd start if this doesn't work, try to put natd_flags= in your rc.conf and plesase check your ipfw rule for nat it should be something like this: (with natd_flags=) ipfw -q add divert natd all from any to any via your_public_interface Good luck!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Skoryk Peter 80672343019 System Administrator at Yukon Mobile icq:291130 VOO-UANIC mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd not starting on boot-up
At 01:34 PM 6/7/2006 +0300, you wrote: Try to comment the line natd_enable=YES and then add a new line at the end of rc.conf: /etc/rc.d/natd start Well, that looks like it would work. I'll keep it in mind as a last resort. if this doesn't work, try to put natd_flags= I'll give it a try. Of course, that's already the entry in /etc/defaults/rc.conf. in your rc.conf and plesase check your ipfw rule for nat it should be something like this: (with natd_flags=) ipfw -q add divert natd all from any to any via your_public_interface Got it. I already checked 'ipfw show' and that's the very first rule. Good luck!! -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd not starting on boot-up
I'm thoroughly puzzled. Over the weekend I transferred my FreeBSD system to a new hard drive. Through laziness I didn't follow the instructions and had to make a completely new install. Everything now seems to be working the way it should, Apache, MySQL, PHP, syslog, Samba -- except natd. Everything starts on boot-up as it should -- except natd. I can start it manually from the command line after booting up and logging in and it works fine, but I can't tell what's going on that it's failing to start. My /etc/rc.conf contains the following: # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=203.151.134.1 gateway_enable=YES hostname=poppy.international.stjohn.ac.th ifconfig_ed0=inet 10.3.16.125 netmask 255.255.255.0 ifconfig_ed1=inet 203.151.134.104 netmask 255.255.255.0 router_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quiet=YES natd_enable=YES natd_interface=ed1 ipv6_enable=YES linux_enable=YES moused_enable=YES moused_port=/dev/sysmouse moused_type=auto screen=daemon nfs_client_enable=YES sshd_enable=YES What can I do to get some indication of where the problem is? -- Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPSec, ipfw, and natd
Hi, I recently tried to set up a computer to act as a NAT using FreeBSD 6.1. ipfw functions as it should, as well as IPSec, but I've run into some problems when setting up the NAT. I have two computers behind it, both of which do not need to speak IPSec (and aren't configured to do so). The NAT computer should speak IPSec with one other computer, from which it mounts home directories via NFS. When I enable natd, ipfw, and IPSec, the connection to the computer with which I speak IPSec breaks, but the NAT functions properly (can ping everything except the IPSec-speaking NFS server). My ipfw rules look like this: $cmd 0001 allow udp from any to any isakmp $cmd 0002 allow esp from $ipsec_servers to me $cmd 0003 allow ah from $ipsec_servers to me $cmd 0004 divert natd all from any to any via sis0 ... $cmd 0015 allow icmp from any to any $cmd 9900 allow all from me to any $cmd 9910 allow all from any to any established $cmd deny log all from any to me And natd.conf, which is called when natd is started in the rc scripts, looks like this: port 8668 interface sis0 log yes Does anyone have any experience with problems such as this? Feel free to ask for anything else that may clarify the problem. Thanks, -- Devin Heckman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I have some questions about natd and firewall....^_^|||
董佑龍 [EMAIL PROTECTED] writes: Hello: My English is not good. I am sorry about this first. ~_~ You made yourself clear. Better than good enough. My system: FreeBSD + IPFW + NAT Question 1: about NAT (in FreeBSD) I built a natd.conf and it's contents are below: redirect_address 192.168.0.1 140.115.10.22 I have 2 computers in the LAN: 192.168.0.200 and 192.168.0.201. The redirect rule (above) will affect any connection which destination is 140.115.10.22. But, I don't want this rule to redirect the packets sent from 192.168.0.200.(ie. This rule will affect all nodes inside the LAN but 192.168.0.200) Can I make it? Yes. What you do is make sure that packets from that address don't get sent to the divert socket in your ipfw ruleset. For example, you could use a skipto rule before the divert rule. Question 2: about Firewall (in FreeBSD) Is there any argument in IPFW just like the function of the redirect_address in NAT can be used? If it is, I think it may can solve the above problem. Not exactly. You can use a fwd rule, but the destination IP address won't be changed. The machine you forward to won't accept the packets because its address isn't 140.115.10.22. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I have some questions about natd and firewall....^_^|||
Hello: My English is not good. I am sorry about this first. ~_~ My system: FreeBSD + IPFW + NAT Question 1: about NAT (in FreeBSD) I built a natd.conf and it's contents are below: redirect_address 192.168.0.1 140.115.10.22 I have 2 computers in the LAN: 192.168.0.200 and 192.168.0.201. The redirect rule (above) will affect any connection which destination is 140.115.10.22. But, I don't want this rule to redirect the packets sent from 192.168.0.200.(ie. This rule will affect all nodes inside the LAN but 192.168.0.200) Can I make it? Question 2: about Firewall (in FreeBSD) Is there any argument in IPFW just like the function of the redirect_address in NAT can be used? If it is, I think it may can solve the above problem. I hope I can get your reply. Deeply appreciate ^_^ ~felix ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Traffic shaping with ipfw/DUMMYNET when using natd
On Wed, May 24, 2006 at 08:32:53AM -0600, G-der wrote: I've been setting up ipfw and DUMMYNET to do some traffic shaping on my network. Right now to test things out I've basicly put everything into two categories. There's traffic from 10.0.10.10 which is lower priority (this is a download machine) and then there's everything else. The biggest problem I've runinto is that because natd gets the packets first thing the only way to catch outgoing traffic is on the internal network interface. That is if you want to limit based on which internal machine is generating the traffic like in my case. After the divert rule for natd the src-ip field gets changed to my external ip address. This has a side effect of limiting all the traffic on that internal interface, even stuff that is not bound for the internet. I've tried playing around a little bit with the bridged, diverted, and diverted-output commands but can't get any of them to catch the packets. Is there a way to limit outgoing traffic based on which machine owns the traffic internally that doesn't have to be done on the internal interface? Would it be better practice to scan outgoing traffic before the divert rules for natd? I do it on the internal nic. I just have the internal traffic skip those rules. You could do it on the external nic, but this is more complex. You should remeber that the diverd rule changes the ip adress. Scanning outgoing traffic before the divert rule and incomming afther it should work to. -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Traffic shaping with ipfw/DUMMYNET when using natd
I've been setting up ipfw and DUMMYNET to do some traffic shaping on my
network. Right now to test things out I've basicly put everything into two
categories. There's traffic from 10.0.10.10 which is lower priority (this
is a download machine) and then there's everything else.
The biggest problem I've runinto is that because natd gets the packets first
thing the only way to catch outgoing traffic is on the internal network
interface. That is if you want to limit based on which internal machine is
generating the traffic like in my case. After the divert rule for natd the
src-ip field gets changed to my external ip address. This has a side effect
of limiting all the traffic on that internal interface, even stuff that is
not bound for the internet.
I've tried playing around a little bit with the bridged, diverted, and
diverted-output commands but can't get any of them to catch the packets.
Is there a way to limit outgoing traffic based on which machine owns the
traffic internally that doesn't have to be done on the internal interface?
Would it be better practice to scan outgoing traffic before the divert rules
for natd?
extif=rl0
intif=rl1
#INCOMING TRAFFIC
#Tested max incoming at 5914Kbit/s
${fwcmd} pipe 1 config bw 5800Kbit/s
${fwcmd} queue 1 config pipe 1 weight 2 #for torrent traffic
${fwcmd} queue 5 config pipe 1 weight 10#for everything else
${fwcmd} add 1000 queue 1 ip from any to 10.0.10.10 in via ${extif}
${fwcmd} add 5000 queue 5 ip from any to any in via ${extif}
#OUTGOING TRAFFIC
#Tested max outgoing at 390Kbit/s
${fwcmd} pipe 2 config bw 360Kbit/s
${fwcmd} queue 6 config pipe 2 weight 2
${fwcmd} queue 10 config pipe 2 weight 10
${fwcmd} add 6000 queue 6 ip from 10.0.10.10 to any in via ${intif}
${fwcmd} add 8000 queue 10 ip from any to any in via ${intif}
Here's the rules, I appreciate the assistance. Please cc me on reply, I'm
not a regular subscriber.
Thank you
Gene Dinkey
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
SYSTEM HANG - NATD running FINE
My system has recently locked up after 65 days uptime, running only natd for my local network. Natd still works fine and routes information properly - but I am no longer able to telnet or login to my machine even from a local console(alt f1-fx). After I enter my root or user name at the login - it just hangs there. When I telnet in, it does not even prompt me with a login. Anybody ever had this problem before? Any suggestions on how to recover my system without rebooting? Any help appreciated. Thanks, Ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SYSTEM HANG - NATD running FINE
On Wed, 19 Apr 2006, Ben and Jen wrote: My system has recently locked up after 65 days uptime, running only natd for my local network. Natd still works fine and routes information properly - but I am no longer able to telnet or login to my machine even from a local console(alt f1-fx). After I enter my root or user name at the login - it just hangs there. When I telnet in, it does not even prompt me with a login. Anybody ever had this problem before? Any suggestions on how to recover my system without rebooting? Hi Ben, Since you are unable to get a shell, it is unlikely that you will be able to recover without rebooting. However, you can try dropping into the online Kernel debugger, to try and get more information about what is going on: http://www.freebsd.org/doc/en/books/developers-handbook/kerneldebug-online-ddb.html I think from there you can force a panic, which could provide you with some post-mortem information to go over: http://www.onlamp.com/pub/a/bsd/2002/03/21/Big_Scary_Daemons.html Good luck, -Andy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Natd with Multiple DSL Connections
On 3/12/06, Nagilum [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 How about interface bonding/aggregation ? Check ng_fec(4) for details. Hope this helps, Nagilum. I checked the man page but really didn`t understand - it will forward the traffic simultaneously threw two interfaces ? Based on IP? The man page is so shortly explaing ... Can you give suggestions? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Natd with Multiple DSL Connections
Iantcho Vassilev wrote: On 3/12/06, Nagilum [EMAIL PROTECTED] wrote: [ ... ] I checked the man page but really didn`t understand - it will forward the traffic simultaneously threw two interfaces ? Based on IP? No, you would use IPFW to forward different IP ranges through one interface or the other to obtain crude load balancing. Getting two connections from the same ISP would possibly let you do multilink aggregation. You could also look into CARP. The man page is so shortly explaing ... Can you give suggestions? The other choice is to obtain a routable subnet from ARIN or your local IP registrar and set up BGP multihoming, but it's unlikely that your DSL provider is willing to do so. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Natd with Multiple DSL Connections
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 How about interface bonding/aggregation ? Check ng_fec(4) for details. Hope this helps, Nagilum. Ramiz Sardar wrote: Dears, I am using freebsd machine in office as a gateway and using ipfw+natd for internet sharing. I have two dsl connections but i using just one at a time. when ever first dsl connection create any problem then i have to switch to second connection manually. Tell me any solution that i can use both dsl at a time and whenever one goes down, all traffice begin using other connection. Thanks Rameez - Yahoo! Mail Use Photomail to share photos without annoying attachments. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEFF80AKWN2UY+sLwRA+cXAJ97OVRFYp6FV9qKm9ciQXchUjcwYgCgsbUz Jml4LdBMitwj8sKJH+x16pk= =o1Aq -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Natd with Multiple DSL Connections
Dears, I am using freebsd machine in office as a gateway and using ipfw+natd for internet sharing. I have two dsl connections but i using just one at a time. when ever first dsl connection create any problem then i have to switch to second connection manually. Tell me any solution that i can use both dsl at a time and whenever one goes down, all traffice begin using other connection. Thanks Rameez - Yahoo! Mail Use Photomail to share photos without annoying attachments. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
On 2/16/06, Chuck Swiger [EMAIL PROTECTED] wrote: Andrew Pantyukhin wrote: I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. See man natd about the following options for 1-to-1 NAT translation, which can be put into /etc/natd.conf and processed automagicly when the machine boots: -redirect_address localIP publicIP That's one trick. Do you use it in production? How many hosts do you have mapped this way? How do you get incoming traffic translated to the address it is meant for, not the last address? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
That`s how i do it with PF!!!
Freebsd
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
# Rule 2 (NAT)
#
#
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
#
# Rule 3 (NAT)
#
#
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
#
# Rule 4 (NAT)
#
#
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
--
Where ed0 is the interface with the alias..
As performace i can say that`s its scalling very well. Because of the nature
of PF and the options you can set(to be more aggressive or not ) i don`t
have problems with overheat.
On 2/16/06, Andrew Pantyukhin [EMAIL PROTECTED] wrote:
On 2/16/06, Chuck Swiger [EMAIL PROTECTED] wrote:
Andrew Pantyukhin wrote:
I wonder, what tricks do you use to use more than
one alias IP? I mean, if you have hundreds of
hosts behind your firewall, what can you do to alias
some of them to one ip, others to another and so on.
See man natd about the following options for 1-to-1 NAT translation,
which can
be put into /etc/natd.conf and processed automagicly when the machine
boots:
-redirect_address localIP publicIP
That's one trick. Do you use it in production? How many
hosts do you have mapped this way? How do you get
incoming traffic translated to the address it is meant
for, not the last address?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
natd with several alias IPs
I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. I know pf can probably do it in a better fashion, I just wonder how we can do it with natd. Several natd processes? Some other tricks? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd with several alias IPs
I am not sure just what you are asking about. Are you saying that you have 4 static public ip address assigned to you by your ISP and you want to round robin those 4 in the NATing process to your hundreds of LAN users? If that's what you are after then any of FreeBSD's 3 built in firewall can do that by how you code the NAT statements. Read the handbook firewall ipfilter section for details. There is no special tricks or need for several NATed process. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Pantyukhin Sent: Wednesday, February 15, 2006 3:45 PM To: FreeBSD Questions Subject: natd with several alias IPs I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. I know pf can probably do it in a better fashion, I just wonder how we can do it with natd. Several natd processes? Some other tricks? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
On 2/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am not sure just what you are asking about. Are you saying that you have 4 static public ip address assigned to you by your ISP and you want to round robin those 4 in the NATing process to your hundreds of LAN users? If that's what you are after then any of FreeBSD's 3 built in firewall can do that by how you code the NAT statements. Read the handbook firewall ipfilter section for details. There is no special tricks or need for several NATed process. I'm quite aware of the fact that both pf and ipf have mature nat frameworks. The question is, how to do that with natd (and ipfw). Could you be so kind and throw an example of a round-robin setup without several natd processes, 'cuz I can hardly imagine that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd with several alias IPs
I am not a ipfw expert. The truth of it is I was a ipfw user before I added a LAN behind my gateway box. Ipfw does it's nating from within ipfw and that it what makes ipfw nating so hard to get right. It's even harder if you use keep state processing. Ipfilter and PF do the nating separate from the firewall so the firewall always sees the true LAN packets. For that reason I now use ipfilter. Your ipfw question may get better answers from the ipfw questions list. In reading your original post it was not clear to me that you had to do this using ipfw. I read it as you were asking if it could be done at all. Using alias ip's is not the correct term I believe. Good luck finding a ipfw solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Pantyukhin Sent: Wednesday, February 15, 2006 7:16 PM To: [EMAIL PROTECTED] Cc: FreeBSD Questions Subject: Re: natd with several alias IPs On 2/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am not sure just what you are asking about. Are you saying that you have 4 static public ip address assigned to you by your ISP and you want to round robin those 4 in the NATing process to your hundreds of LAN users? If that's what you are after then any of FreeBSD's 3 built in firewall can do that by how you code the NAT statements. Read the handbook firewall ipfilter section for details. There is no special tricks or need for several NATed process. I'm quite aware of the fact that both pf and ipf have mature nat frameworks. The question is, how to do that with natd (and ipfw). Could you be so kind and throw an example of a round-robin setup without several natd processes, 'cuz I can hardly imagine that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
