Re: different ipfw/natd prob
i agree. it does seem that i need to recompile: www# ipfw add diver natd all from any to any via dc0 ip_fw_ctl: invalid command ipfw: getsockopt(IP_FW_ADD): Invalid argument would seem to indicate this.. i shall commence, as per yours and JoeB's suggestion and report back thank you both stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: >Stephen D. Kingrea wrote: >> oh, this looks bad before i do that, i should mention that in the >> meantime, i tried to add a divert rule and got >> >> ip_fw_ctl: invalid command >> >> on boot, i get >> >> IP packet filtering initialized, divert disabled, rule-based forwarding >> enabled, default to deny, logging disabled > >Sounds like you need to recompile your kernel with IPDIVERT (as someone >else pointed out) > >-- >Bill Moran >Potential Technologies >http://www.potentialtech.com > > >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: different ipfw/natd prob
Stephen D. Kingrea wrote: oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Sounds like you need to recompile your kernel with IPDIVERT (as someone else pointed out) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: different ipfw/natd prob
Do you really have named Domain server configured? If not remove named_enable="YES" If you really do not want sendmail it should be sendmail_enable="NONE" >From your description I see no reason for any of the router_ options You don't need this either network_interfaces="lo0 fxp0 dc0" ifconfig_lo0="inet 127.0.0.1" Your rule set is missing the divert rule to send all packets to ipfw's built in nat function inferface module. allow ip from any to any via lo0 divert natd all from any to any via dc0 add this rule allow all ip from any to any deny ip from any to any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen D. Kingrea Sent: Friday, January 17, 2003 8:53 AM To: Bill Moran Cc: [EMAIL PROTECTED] Subject: Re: different ipfw/natd prob following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" tcp_extensions="YES" named_enable="YES" sendmail_enable="NO" portmap_enable="YES" router_enable="yes" router="/sbin/routed" router_flags="-q" defaultrouter="68.abc.de.1" hostname="www.kingrea.com" network_interfaces="lo0 fxp0 dc0" ifconfig_lo0="inet 127.0.0.1" ifconfig_dc0="inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP" ifconfig_fxp0="inet 192.168.2.1 netmask 255.255.255.0" firewall_enable="YES" firewall_type="OPEN" gateway_enable="YES" natd_enable="YES" natd_interface="dc0" natd_flags="-f /etc/natd.conf" natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843 mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843 mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810 mtu 1500 faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: >Stephen D. Kingrea wrote: >> i have a slightly different ipfw/natd problem. >> >> machines on the lan can ping internal nic on the server (fbsd 4.7), and >> the external nic, but can not ping or reach anything outside. unless i >> telnet into the server, then telnet out. currently running ipfw >> "open" until problem is solved. server can ping all machines on lan. > >On a wild guess, it sounds like your divert rule is wrong. >Need more information to help with this. > >Please repost to the list and include the following: >The output of 'ipfw show' >The output of 'ifconfig' >The contents of your rc.conf file > >-- >Bill Moran >Potential Technologies >http://www.potentialtech.com > > >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: different ipfw/natd prob
Here's what I did that worked for me on FreeBSD 4.5-RELEASE Maybe this will help you some. Kernel recompile options I added: options IPFIREWALL # I added for firewall options IPFIREWALL_DEFAULT_TO_ACCEPT# I added for firewall options IPFIREWALL_VERBOSE # I added for firewall options IPFIREWALL_VERBOSE_LIMIT=10 # I added for firewall options IPFIREWALL_DEFAULT_TO_ACCEPT# I added for firewall options IPFIREWALL_FORWARD # I added for firewall options IPDIVERT# I added for natd ipfw rules: /sbin/ipfw add 100 pass all from 127.0.0.1 to 127.0.0.1 /sbin/ipfw add 200 divert natd all from any to any via rl0 ifconfig: xl0: flags=8843 mtu 1500 options=3 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::201:2ff:fee8:2298%xl0 prefixlen 64 scopeid 0x1 ether 00:01:02:e8:22:98 media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 inet 24.xx.xxx.61 netmask 0xfe00 broadcast 24..xxx.255 inet6 fe80::250:bfff:fe51:5503%rl0 prefixlen 64 scopeid 0x2 ether 00:50:bf:51:55:03 media: Ethernet autoselect (100baseTX ) status: active rc.conf: gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.cf" hostname="mygatewayhost" ifconfig_rl0="inet 24.121.16.61 netmask 255.255.254.0" ifconfig_xl0="inet 192.168.0.1 netmask 255.255.255.0" WillyB [EMAIL PROTECTED] wrote: following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" tcp_extensions="YES" named_enable="YES" sendmail_enable="NO" portmap_enable="YES" router_enable="yes" router="/sbin/routed" router_flags="-q" defaultrouter="68.abc.de.1" hostname="www.kingrea.com" network_interfaces="lo0 fxp0 dc0" ifconfig_lo0="inet 127.0.0.1" ifconfig_dc0="inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP" ifconfig_fxp0="inet 192.168.2.1 netmask 255.255.255.0" firewall_enable="YES" firewall_type="OPEN" gateway_enable="YES" natd_enable="YES" natd_interface="dc0" natd_flags="-f /etc/natd.conf" natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843 mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843 mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810 mtu 1500 faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw "open" until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message -- Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: different ipfw/natd prob
following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" tcp_extensions="YES" named_enable="YES" sendmail_enable="NO" portmap_enable="YES" router_enable="yes" router="/sbin/routed" router_flags="-q" defaultrouter="68.abc.de.1" hostname="www.kingrea.com" network_interfaces="lo0 fxp0 dc0" ifconfig_lo0="inet 127.0.0.1" ifconfig_dc0="inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP" ifconfig_fxp0="inet 192.168.2.1 netmask 255.255.255.0" firewall_enable="YES" firewall_type="OPEN" gateway_enable="YES" natd_enable="YES" natd_interface="dc0" natd_flags="-f /etc/natd.conf" natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843 mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843 mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810 mtu 1500 faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: >Stephen D. Kingrea wrote: >> i have a slightly different ipfw/natd problem. >> >> machines on the lan can ping internal nic on the server (fbsd 4.7), and >> the external nic, but can not ping or reach anything outside. unless i >> telnet into the server, then telnet out. currently running ipfw >> "open" until problem is solved. server can ping all machines on lan. > >On a wild guess, it sounds like your divert rule is wrong. >Need more information to help with this. > >Please repost to the list and include the following: >The output of 'ipfw show' >The output of 'ifconfig' >The contents of your rc.conf file > >-- >Bill Moran >Potential Technologies >http://www.potentialtech.com > > >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: different ipfw/natd prob
oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled is this a clue that i need to rebuild kernel? stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: >Stephen D. Kingrea wrote: >> i have a slightly different ipfw/natd problem. >> >> machines on the lan can ping internal nic on the server (fbsd 4.7), and >> the external nic, but can not ping or reach anything outside. unless i >> telnet into the server, then telnet out. currently running ipfw >> "open" until problem is solved. server can ping all machines on lan. > >On a wild guess, it sounds like your divert rule is wrong. >Need more information to help with this. > >Please repost to the list and include the following: >The output of 'ipfw show' >The output of 'ifconfig' >The contents of your rc.conf file > >-- >Bill Moran >Potential Technologies >http://www.potentialtech.com > > >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: different ipfw/natd prob
Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw "open" until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message