subject:"ipfw \+ NAT doesn't work"

Re: ipfw + NAT doesn't work

2009-09-18 Thread Ruben de Groot

On Thu, Sep 17, 2009 at 02:53:12PM -0400, Robert Huff typed:
 
 Ruben de Groot writes:
 
 However: using these I still can't get through
   
   Through to what? You seem to be able to connect on a local subnet, but
   not to the internet through NAT, which you say is ok, because you
   shouldn't ?
 
   Please explain exactly what you want to do.
 
   1) With the firewall enabled, but no NAT-related rules, I can't
 get out.
   This is as expected.
   2) With the NAT rules added, I should be able to get out, but
 can't.
   Clear?

I think so. What's your outgoing ip? The rules you posted:

ipfw add 5000 nat 15 all from any to any
ipfw nat 15 config log same_ports ip 10.0.0.0/8
  ^^

Looks strange to me. Instead of 10.0.0.0/8 I believe you should use
a single IP that you want to translate to (ie your outgoing IP address).

Ruben

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfw + NAT doesn't work

2009-09-17 Thread Robert Huff


I have a machine running

FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 

It has this in the config file for the running kernel:

options  IPFIREWALL  #firewall
options  IPFIREWALL_VERBOSE  #enable logging to syslogd(8)
options  IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity
options  IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default
options  IPFIREWALL_NAT  #ipfw kernel nat support
options  LIBALIAS 

It (10.0.0.1) connects correctly to another machine (10.0.0.3);
I know because .3 mounts one of .1's disks using Samba.
With the ipfw rules appended below, I can't NAT, nor should I
be able to.  (em0 faces the Internet; em1 faces the other
machine.)
However: using these I still can't get through

ipfw add 5000 nat 15 all from any to any
ipfw nat 15 config log same_ports ip 10.0.0.0/8

Have I forgotten something?  Or misunderstood something?
If not ... how do I figure out what's wrong?

Respectfully,


Robert Huff



00100  3830   864746 allow ip from any to any via lo0
00200 00 deny ip from any to 127.0.0.0/8
00300 00 deny ip from 127.0.0.0/8 to any
00350   11042464 allow udp from any 67-68 to any dst-port 67-68
00600 00 allow ip6 from any to any via lo0
00610 00 deny ip6 from any to ::1
00620 00 deny ip6 from ::1 to any
00630 3  256 allow ip6 from :: to ff02::/16 proto ipv6-icmp
00640 00 allow ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
00650 4  304 allow ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
00660 00 allow ip6 from 2001:db8:2:1::1 to 2001:db8:2:1::/64
00670 00 allow ip6 from 2001:db8:2:1::/64 to 2001:db8:2:1::1
00680 00 allow ip6 from fe80::/10 to ff02::/16
00690 00 allow ip6 from 2001:db8:2:1::/64 to ff02::/16
00700 00 allow ip6 from any to any established proto tcp
00710 00 allow ip6 from any to any frag
00720 00 allow ip6 from any to 2001:db8:2:1::1 dst-port 25 setup 
proto tcp
00730 00 allow ip6 from 2001:db8:2:1::1 to any setup proto tcp
00740 00 deny ip6 from any to any setup proto tcp
00750 00 allow ip6 from any 53 to 2001:db8:2:1::1 proto udp
00760 00 allow ip6 from 2001:db8:2:1::1 to any dst-port 53 proto udp
00770 00 allow ip6 from any 123 to 2001:db8:2:1::1 proto udp
00780 00 allow ip6 from 2001:db8:2:1::1 to any dst-port 123 proto 
udp
00790 00 allow ip6 from any to any ip6 icmp6types 1 proto ipv6-icmp
00800 00 allow ip6 from any to any ip6 icmp6types 2,135,136 proto 
ipv6-icmp
06000 00 deny log logamount 100 tcp from any to any dst-port 137 in 
via em0
0605032 3000 deny log logamount 100 udp from any to any dst-port 137 in 
via em0
06100 00 deny log logamount 100 tcp from any to any dst-port 138 in 
via em0
0615015 3465 deny log logamount 100 udp from any to any dst-port 138 in 
via em0
06200 00 deny log logamount 100 tcp from any to any dst-port 139 in 
via em0
06250 00 deny log logamount 100 udp from any to any dst-port 139 in 
via em0
07000 00 deny log logamount 100 tcp from any to any dst-port 111 in 
via em0
07050 00 deny log logamount 100 udp from any to any dst-port 111 in 
via em0
07100 00 deny log logamount 100 tcp from any to any dst-port 530 in 
via em0
07150 00 deny log logamount 100 udp from any to any dst-port 530 in 
via em0
07200 00 deny log logamount 100 tcp from any to any dst-port 161 in 
recv em0
07225 00 deny log logamount 100 udp from any to any dst-port 161 in 
recv em0
07250 00 deny log logamount 100 tcp from any to any dst-port 162 in 
recv em0
07275 00 deny log logamount 100 udp from any to any dst-port 162 in 
recv em0
07300 00 deny log logamount 100 tcp from any to any dst-port 194
07310 00 deny log logamount 100 udp from any to any dst-port 194
07320 00 deny log logamount 100 tcp from any to any dst-port 529
07330 00 deny log logamount 100 udp from any to any dst-port 529
07340 00 deny log logamount 100 tcp from any to any dst-port 994
07350 00 deny log logamount 100 udp from any to any dst-port 994
07360 00 deny log logamount 100 tcp from any to any dst-port 6667
07370 00 deny log logamount 100 udp from any to any dst-port 6667
1 45012 38961511 allow tcp from any to any established
10100  1452   112487 allow ip from any to any out via em0
10200 00 allow tcp from 10.0.0.0/8 to any dst-port 80
10300 00 allow tcp from any 80 to any dst-port 1024-65535 via em0
10400 00 allow tcp from any 443 to any dst-port 1024-65535 via em0
10500 00 deny

Re: ipfw + NAT doesn't work

2009-09-17 Thread Ruben de Groot

On Thu, Sep 17, 2009 at 10:14:15AM -0400, Robert Huff typed:
 
   I have a machine running
 
 FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 
 
   It has this in the config file for the running kernel:
 
 options  IPFIREWALL  #firewall
 options  IPFIREWALL_VERBOSE  #enable logging to syslogd(8)
 options  IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity
 options  IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default
 options  IPFIREWALL_NAT  #ipfw kernel nat support
 options  LIBALIAS 
 
   It (10.0.0.1) connects correctly to another machine (10.0.0.3);
 I know because .3 mounts one of .1's disks using Samba.
   With the ipfw rules appended below, I can't NAT, nor should I
 be able to.  (em0 faces the Internet; em1 faces the other
 machine.)
   However: using these I still can't get through

Through to what? You seem to be able to connect on a local subnet, but
not to the internet through NAT, which you say is ok, because you shouldn't ?
Please explain exactly what you want to do.

   Have I forgotten something?  Or misunderstood something?
   If not ... how do I figure out what's wrong?

/var/log/security is a good place to start, as your config seems to log allmost
all denies.
BTW, CURRENT is a development branch.  Fine if you want to run it, but you
should do some basic debugging yourself before posting problems with it. And
then the -questions list is probably not the best place to find answers.

regards,
Ruben

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re[2]: ipfw + NAT doesn't work

2009-09-17 Thread Robert Huff


kes-...@yandex.ru writes:

 If not ... how do I figure out what's wrong?
  What is your ipfw rules?

They were appended to the original post.


Robert Huff

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re[2]: ipfw + NAT doesn't work

2009-09-17 Thread Коньков Евгений

Здравствуйте, Ruben.

   If not ... how do I figure out what's wrong?
What is your ipfw rules?

Вы писали 17 сентября 2009 г., 20:45:01:

RdG On Thu, Sep 17, 2009 at 10:14:15AM -0400, Robert Huff typed:
 
   I have a machine running
 
 FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 
 
   It has this in the config file for the running kernel:
 
 options  IPFIREWALL  #firewall
 options  IPFIREWALL_VERBOSE  #enable logging to syslogd(8)
 options  IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity
 options  IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default
 options  IPFIREWALL_NAT  #ipfw kernel nat support
 options  LIBALIAS 
 
   It (10.0.0.1) connects correctly to another machine (10.0.0.3);
 I know because .3 mounts one of .1's disks using Samba.
   With the ipfw rules appended below, I can't NAT, nor should I
 be able to.  (em0 faces the Internet; em1 faces the other
 machine.)
   However: using these I still can't get through

RdG Through to what? You seem to be able to connect on a local subnet, but
RdG not to the internet through NAT, which you say is ok, because you 
shouldn't ?
RdG Please explain exactly what you want to do.

   Have I forgotten something?  Or misunderstood something?
   If not ... how do I figure out what's wrong?

RdG /var/log/security is a good place to start, as your config seems to log 
allmost
RdG all denies.
RdG BTW, CURRENT is a development branch.  Fine if you want to run it, but you
RdG should do some basic debugging yourself before posting problems with it. 
And
RdG then the -questions list is probably not the best place to find answers.


-- 
С уважением,
 Коньков  mailto:kes-...@yandex.ru

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw + NAT doesn't work

ipfw + NAT doesn't work

Re: ipfw + NAT doesn't work

Re[2]: ipfw + NAT doesn't work

Re[2]: ipfw + NAT doesn't work

5 matches

Site Navigation

Mail list logo

Footer information