Re: IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
I know that ssh does a reverse dns lookup of the ip you connect from - no matter if its local or not. On Tue, Jun 26, 2012 at 4:58 PM, Christopher J. Ruwe wrote: > On Mon, 25 Jun 2012 18:23:56 -0400 > Robert Huff wrote: > >> >> Christopher J. Ruwe writes: >> >> > On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some >> > qjails, 8.3-RELEASE. The jails are connected all via lo0 on >> > 10.0.0.0. >> > >> > While by the large working as expected, I have noticed one >> > pecularity I have failed to pinpoint: When launching processes >> > with some network interaction, like sshing into one of the jails >> > from the platform or launching emacs, the command spends ages ( >> > ~(1-2) minutes) idling? (nothing happens) before becoming >> > interactive. >> >> If the number is very close to 90 seconds, my first guess >> would be you have a DNS problem. >> >> >> Robert Huff >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscr...@freebsd.org" > > Thanks for the hint. It was DNS ... I have copied a resolv.conf into the > jails for future use, but did not enable NAT from the start. > > The issue disappeared when I commented out the nameserver entries and > switched NAT off again, i.e., I could login using ssh in a matter of > seconds, not minutes. > > Now to the followup: Why does ssh and emacs! require DNS for entirely local > connections or just to be started? > > Anyway, thanks for that hint, cheers, > -- > Christopher > TZ: GMT + 2h -- Med Venlig Hilsen Kalle R. Møller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
On Mon, 25 Jun 2012 18:23:56 -0400 Robert Huff wrote: > > Christopher J. Ruwe writes: > > > On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some > > qjails, 8.3-RELEASE. The jails are connected all via lo0 on > > 10.0.0.0. > > > > While by the large working as expected, I have noticed one > > pecularity I have failed to pinpoint: When launching processes > > with some network interaction, like sshing into one of the jails > > from the platform or launching emacs, the command spends ages ( > > ~(1-2) minutes) idling? (nothing happens) before becoming > > interactive. > > If the number is very close to 90 seconds, my first guess > would be you have a DNS problem. > > > Robert Huff > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" Thanks for the hint. It was DNS ... I have copied a resolv.conf into the jails for future use, but did not enable NAT from the start. The issue disappeared when I commented out the nameserver entries and switched NAT off again, i.e., I could login using ssh in a matter of seconds, not minutes. Now to the followup: Why does ssh and emacs! require DNS for entirely local connections or just to be started? Anyway, thanks for that hint, cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
Christopher J. Ruwe writes: > On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some > qjails, 8.3-RELEASE. The jails are connected all via lo0 on > 10.0.0.0. > > While by the large working as expected, I have noticed one > pecularity I have failed to pinpoint: When launching processes > with some network interaction, like sshing into one of the jails > from the platform or launching emacs, the command spends ages ( > ~(1-2) minutes) idling? (nothing happens) before becoming > interactive. If the number is very close to 90 seconds, my first guess would be you have a DNS problem. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some qjails, 8.3-RELEASE. The jails are connected all via lo0 on 10.0.0.0. While by the large working as expected, I have noticed one pecularity I have failed to pinpoint: When launching processes with some network interaction, like sshing into one of the jails from the platform or launching emacs, the command spends ages ( ~(1-2) minutes) idling? (nothing happens) before becoming interactive. For reasons unreleated, I have enabled NAT with ipf for the jails on 10.0.0.0/24 (to the external re0 IF and some IP) and, out of the blue, logging into the jails or starting emacs became snappy again. Why? Why does ipnatting jails which should be connected via the same lo0 on 10.0.0.0 have any impact? Don't get me wrong, I am not complaining and it solved an issue which gave me kind of headaches, but I would like to understand. Thanks and cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
Page Fault While in Kernel Mode (IPNAT)
Hi, I have a firewall for NAT operations only. While doing NAT, server
crashes. Below you can find the required info about my problem. Thanks.
Some useful info about my NAT server:
FreeBSD xxx.cc.boun.edu.tr 7.3-RELEASE FreeBSD 7.3-RELEASE #2: Fri Sep
17 15:09:54 EEST 2010 x...@xxx.cc.boun.edu.tr:/usr/obj/usr/src/sys/FW i386
bge0: mem
0xfdef-0xfdef irq 25 at device 1.0 on pci3
bge1: mem
0xfdee-0xfdee irq 26 at device 1.1 on pci3
net.inet.ipf.ipf_natrules_sz: 127
net.inet.ipf.ipf_nattable_sz: 30
513/897/1410 mbufs in use (current/cache/total)
512/540/1052/0 mbuf clusters in use (current/cache/total/max)
512/512 mbuf+clusters out of packet secondary zone in use (current/cache)
0/5/5/12800 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/6400 9k jumbo clusters in use (current/cache/total/max)
0/0/0/3200 16k jumbo clusters in use (current/cache/total/max)
1152K/1324K/2476K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/5/6656 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
0 calls to protocol drain routines
mappedin183625863out126618997
added2265807expired1350387
no memory8899bad nat12314
inuse13690
orphans0
rules49
wilds0
hash efficiency97.64%
bucket usage4.46%
minimal length0
maximal length3
average length1.024
TCP Entries per state
0 1 2 3 4 5 6 7 8 91011
42 223651 417 3311 348 2002320 0 3763 729
Debug info:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address= 0x4
fault code= supervisor read, page not present
instruction pointer= 0x20:0x8593c94b
stack pointer= 0x28:0x853488dc
frame pointer= 0x28:0x85348958
code segment= base 0x0, limit 0xf, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags= interrupt enabled, resume, IOPL = 0
current process= 25 (irq26: bge1)
trap number= 12
panic: page fault
cpuid = 0
Uptime: 2d0h6m24s
Physical memory: 2035 MB
Dumping 335 MB: 320 304 288 272 256 240 224 208 192 176 160 144 128 112
96 80 64 48 32 16
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from
/boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/ipl.ko...Reading symbols from
/boot/kernel/ipl.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ipl.ko
#0 doadump () at pcpu.h:196
196__asm __volatile("movl %%fs:0,%0" : "=r" (td));
###
#0 doadump () at pcpu.h:196
#1 0x80746017 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2 0x807462e9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:574
#3 0x8097483c in trap_fatal (frame=0x8534889c, eva=4) at
/usr/src/sys/i386/i386/trap.c:950
#4 0x80974aa0 in trap_pfault (frame=0x8534889c, usermode=0, eva=4) at
/usr/src/sys/i386/i386/trap.c:863
#5 0x80975459 in trap (frame=0x8534889c) at
/usr/src/sys/i386/i386/trap.c:541
#6 0x8095915b in calltrap () at /usr/src/sys/i386/i386/exception.s:166
#7 0x8593c94b in nat_new (fin=0x853489c0, np=0x855ee800, natsave=0x0,
flags=Variable "flags" is not available.
) at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:2577
#8 0x8593cf04 in fr_checknatout (fin=0x853489c0, passp=0x85348a6c) at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:3828
#9 0x85959c6c in fr_check (ip=0x873c0810, hlen=20, ifp=0x855b7400,
out=1, mp=0x85348ab8)
at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:2624
#10 0x859517be in fr_check_wrapper (arg=0x0, mp=0x85348ab8,
ifp=0x855b7400, dir=2)
at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_fil_freebsd.c:178
#11 0x807f5708 in pfil_run_hooks (ph=0x80b026e0, mp=0x85348b44,
ifp=0x855b7400, dir=2, inp=0x0) at /usr/src/sys/net/pfil.c:78
#12 0x8080ea72 in ip_output (m=0x85b2a800, opt=0x0, ro=0x85348b7c,
flags=1, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:443
#13 0x8080bb04 in ip_forward (m=0x85b2a800, srcrt=0) at
/usr/src/sys/netinet/ip_input.c:1366
#14 0x8080d0b0 in ip_input (m=0
Page Fault While in Kernel Mode (IPNAT)
Hi, I have a firewall for NAT operations only. While doing NAT, server
crashes. Below you can find the required info about my problem. Thanks.
Some useful info about my NAT server:
FreeBSD xxx.cc.boun.edu.tr 7.3-RELEASE FreeBSD 7.3-RELEASE #2: Fri Sep
17 15:09:54 EEST 2010
x...@xxx.cc.boun.edu.tr:/usr/obj/usr/src/sys/FW i386
bge0: mem
0xfdef-0xfdef irq 25 at device 1.0 on pci3
bge1: mem
0xfdee-0xfdee irq 26 at device 1.1 on pci3
net.inet.ipf.ipf_natrules_sz: 127
net.inet.ipf.ipf_nattable_sz: 30
513/897/1410 mbufs in use (current/cache/total)
512/540/1052/0 mbuf clusters in use (current/cache/total/max)
512/512 mbuf+clusters out of packet secondary zone in use (current/cache)
0/5/5/12800 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/6400 9k jumbo clusters in use (current/cache/total/max)
0/0/0/3200 16k jumbo clusters in use (current/cache/total/max)
1152K/1324K/2476K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/5/6656 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
0 calls to protocol drain routines
mappedin183625863out126618997
added2265807expired1350387
no memory8899bad nat12314
inuse13690
orphans0
rules49
wilds0
hash efficiency97.64%
bucket usage4.46%
minimal length0
maximal length3
average length1.024
TCP Entries per state
0 1 2 3 4 5 6 7 8 91011
42 223651 417 3311 348 2002320 0 3763 729
Debug info:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address= 0x4
fault code= supervisor read, page not present
instruction pointer= 0x20:0x8593c94b
stack pointer= 0x28:0x853488dc
frame pointer= 0x28:0x85348958
code segment= base 0x0, limit 0xf, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags= interrupt enabled, resume, IOPL = 0
current process= 25 (irq26: bge1)
trap number= 12
panic: page fault
cpuid = 0
Uptime: 2d0h6m24s
Physical memory: 2035 MB
Dumping 335 MB: 320 304 288 272 256 240 224 208 192 176 160 144 128
112 96 80 64 48 32 16
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from
/boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/ipl.ko...Reading symbols from
/boot/kernel/ipl.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ipl.ko
#0 doadump () at pcpu.h:196
196__asm __volatile("movl %%fs:0,%0" : "=r" (td));
###
#0 doadump () at pcpu.h:196
#1 0x80746017 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2 0x807462e9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:574
#3 0x8097483c in trap_fatal (frame=0x8534889c, eva=4) at
/usr/src/sys/i386/i386/trap.c:950
#4 0x80974aa0 in trap_pfault (frame=0x8534889c, usermode=0, eva=4) at
/usr/src/sys/i386/i386/trap.c:863
#5 0x80975459 in trap (frame=0x8534889c) at /usr/src/sys/i386/i386/trap.c:541
#6 0x8095915b in calltrap () at /usr/src/sys/i386/i386/exception.s:166
#7 0x8593c94b in nat_new (fin=0x853489c0, np=0x855ee800, natsave=0x0,
flags=Variable "flags" is not available.
) at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:2577
#8 0x8593cf04 in fr_checknatout (fin=0x853489c0, passp=0x85348a6c) at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_nat.c:3828
#9 0x85959c6c in fr_check (ip=0x873c0810, hlen=20, ifp=0x855b7400,
out=1, mp=0x85348ab8)
at /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/fil.c:2624
#10 0x859517be in fr_check_wrapper (arg=0x0, mp=0x85348ab8,
ifp=0x855b7400, dir=2)
at
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_fil_freebsd.c:178
#11 0x807f5708 in pfil_run_hooks (ph=0x80b026e0, mp=0x85348b44,
ifp=0x855b7400, dir=2, inp=0x0) at /usr/src/sys/net/pfil.c:78
#12 0x8080ea72 in ip_output (m=0x85b2a800, opt=0x0, ro=0x85348b7c,
flags=1, imo=0x0, inp=0x0) at
ipnat proxy port ftp ftp/tcp
I'm straggling to get my FTP to work I'm running jail on my FreeBSD with proftpd and I use ipnat to forward any requests to my box to that jail for that service this is what i put inside of my ipnat.conf rdr bce0 64.237.55.65/27 -> lama proxy port ftp ftp/tcp 64.237.55.65/27 this is my public range lama is my jail's name when I get connected I get something like this when I do ipnat -l RDR 64.237.55.8321<- -> 64.237.55.8321[216.203.43.254 50532] proxy ftp/6 use -11 flags 0 proto 6 flags 0 bytes 2824 pkts 24 data YES size 344 FTP Proxy: passok: 0 Client: seq b4b3b64d (ack b4b3b64d) len 6 junk 0 cmds 0 buf [FEAT\015\012\012p\015\012\000] Server: seq 970af81b (ack 970af8dc) len 193 junk 0 cmds 211 buf [211 End\015\012e;\012 MLST modify*;perm*;size*;type*;unique*;UNIX\000] and on my client I get this mbp:~ alexus$ ftp 64.237.55.83 Connected to 64.237.55.83. 220 64.237.55.83 FTP server ready Name (64.237.55.83:alexus): ftp 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. 421 Service not available, remote server timed out. Connection closed. ftp: No control connection for command ftp> can someone help me? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat 911
On Tue, May 19, 2009 at 1:36 PM, alexus wrote: > I'm running system with 2 jails > > host runs named > 1st jail runs mail > 2nd jail runs web > > jails needs to be able to reach out to outside world, for example mail > server needs to be able to communicate with remote server > > for that i decided to use ipnat, here is rule i used > > map bce0 mx -> mx > > same goes for web > > but after activating these rules my host itself is not able to reach > out to anything remote.. > > -- > http://alexus.org/ > the other thing is on host, and thats after few mintues i reload ipnat dd# ipnat -s mapped in 5022790 out 4034969 added 438863 expired 424203 no memory 0 bad nat 435 inuse 1256 orphans 0 rules 13 wilds 0 hash efficiency 66.56% bucket usage40.84% minimal length 0 maximal length 7 average length 1.502 TCP Entries per state 0 1 2 3 4 5 6 7 8 91011 0 0 0 0 5 1 1 0 1 05015 dd# -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipnat 911
I'm running system with 2 jails host runs named 1st jail runs mail 2nd jail runs web jails needs to be able to reach out to outside world, for example mail server needs to be able to communicate with remote server for that i decided to use ipnat, here is rule i used map bce0 mx -> mx same goes for web but after activating these rules my host itself is not able to reach out to anything remote.. -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
On Sun, May 17, 2009 at 5:08 PM, Roger Olofsson <240olofs...@telia.com> wrote: > > > alexus skrev: >> >> 2009/5/16 Roger Olofsson <240olofs...@telia.com>: >>> >>> Odhiambo ワシントン skrev: >>>> >>>> On Wed, May 13, 2009 at 9:09 PM, alexus wrote: >>>> >>>>> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: >>>>>> >>>>>> i need to redirect bunch of ports, or port-range from outside to my >>>>>> jail >>>>>> >>>>>> # /etc/rc.d/ipnat reload >>>>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >>>>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >>>>>> /etc/ipnat.rules >>>>>> 0 entries flushed from NAT table >>>>>> 2 entries flushed from NAT list >>>>>> syntax error error at "port-range", line 8 >>>>>> # grep port-range /etc/ipnat.rules >>>>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp >>>>>> # >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://alexus.org/ >>>>>> >>>>> that rule is wrong to begin with as rdr doesn't work with ranges, i >>>>> guess I need to use something else.. >>>>> >>>>> anyone done something like that? use ipnat to map range of ports? this >>>>> is for ftp PASV >>>>> >>>> Looks like it's time to convert your rules into PF then start using PF. >>>> >>>> >>> Dear Mailing List, >>> >>> Since this answer quite obviously isn't helping anyone - why can't >>> everyone >>> just be happy with software that actually works well on FreeBSD and >>> disregard petty licensing differences - let us try and help instead. And >>> if >>> you can't help - please keep the 'noise' out of the lists. >>> >>> Sorry for possibly starting a flame here - what's important is to use >>> FreeBSD and try to help to improve it. Give wise answers to people that >>> ask >>> - try not to tell someone to buy another car if that person wants to know >>> how to open the door to the current one. >>> >>> Ipnat and FTP PASV is covered extensively in the ipfilter howto on >>> http://www.obfuscation.org/ipf/ - this might give some pointers around >>> using >>> the FTP proxy in ipnat. You will need to combine this with ports allowed >>> in >>> ipfilter rules and also, the FTP daemon that you use will have to have >>> the >>> ability to control what ports to use for the data transfer. For instance, >>> if >>> you use pure-ftpd you will need to set the following parameter to be able >>> to >>> use the ports 1024-2024 for PASV data: >>> PassivePortRange 1024 2024 >>> >>> The ipnat rule would be something like: >>> rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port >>> 1024 >>> tcp >>> >>> And the ipfilter rule would be >>> pass in quick on external_interface proto tcp from any to any port 1023 >>> >< >>> 2025 flags S keep state keep frags >>> pass out quick on external_interface proto tcp from any port 1023 >< 2025 >>> to >>> any keep state >>> >>> With of course the ftp server port opened as well >>> pass in quick on external_interface proto tcp from any to any port = >>> ftp_server_port flags S keep state keep frags >>> >>> Good luck! >>> >>> /R >>> >>> >> >> i dont see how things are obvious for you as they not so obvious for me. >> first of all my ipf default policy to allow everything. >> >> so the original question is for ipnat and not for ipf >> >> now for non-passive (active) i put in these rules >> >> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp >> rdr bce0 0/0 port ftp -> lama port ftp tcp >> >> and for pasv i still dont know what to do >> >> i've tried >> >> rdr bce0 0/0 port 49152-65534 -> lama port 65534 >> >> and in my ftp i said that this is range for pasv connections >> >> yet i'm able to make a connection (but that goes through ftp/tcp(21)) >> and whenever i enter into pasv it stops working... >> >> >> > > Hi Alexus, > > You need to RDR the ports that the ftp protocol use for the DATA transfer in > PASV mode. You can find information about this at wikipedia -> > http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the FTP > RFC. > > RDR is ipnat - the line goes into the ipnat configuration file. > > Good luck! > > /R > > thanks, i'm aware what needs to be done ;-) the question is "how"... -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
2009/5/17 Patrick Lamaizière : > Le Sun, 17 May 2009 16:16:51 -0400, > alexus : > >> i dont see how things are obvious for you as they not so obvious for >> me. first of all my ipf default policy to allow everything. >> >> so the original question is for ipnat and not for ipf >> >> now for non-passive (active) i put in these rules >> >> rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp >> rdr bce0 0/0 port ftp -> lama port ftp tcp >> >> and for pasv i still dont know what to do >> >> i've tried >> >> rdr bce0 0/0 port 49152-65534 -> lama port 65534 >> >> and in my ftp i said that this is range for pasv connections > > I don't think there is a way to redirect a ports ranges to a ports > range with ipnat. For my ftp server I redirect each port (I use 3 > to 30039 for FTP) with a rule: > rdr vr0 0.0.0.0/0 port 21 -> 192.168.1.4 port 21 > rdr vr0 0.0.0.0/0 port 3 -> 192.168.1.4 port 3 > rdr vr0 0.0.0.0/0 port 30001 -> 192.168.1.4 port 30001 > ... > rdr vr0 0.0.0.0/0 port 30038 -> 192.168.1.4 port 30038 > rdr vr0 0.0.0.0/0 port 30039 -> 192.168.1.4 port 30039 > > For ipnat see > http://www.westworks.ch/~chris/netbsd/NetBSD-NAT-FTP-server.html > > Regards. > i've spoke with Chris, he suggest i use rdr bce0 0/0 port 49152-65534 -> lama port 49152 tcp or use openbsd's pf with rdr on bce0 proto tcp from any to any port 49152:65534 -> lama port 49152:* for now and i'm still testing, i was able to get where i want with rdr bce0 0/0 -> lama proxy port ftp ftp/tcp so far seems to be working... if not i'll try chris suggestion -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
alexus skrev: 2009/5/16 Roger Olofsson <240olofs...@telia.com>: Odhiambo ワシントン skrev: On Wed, May 13, 2009 at 9:09 PM, alexus wrote: On Wed, May 13, 2009 at 12:58 PM, alexus wrote: i need to redirect bunch of ports, or port-range from outside to my jail # /etc/rc.d/ipnat reload /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f /etc/ipnat.rules 0 entries flushed from NAT table 2 entries flushed from NAT list syntax error error at "port-range", line 8 # grep port-range /etc/ipnat.rules rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp # -- http://alexus.org/ that rule is wrong to begin with as rdr doesn't work with ranges, i guess I need to use something else.. anyone done something like that? use ipnat to map range of ports? this is for ftp PASV Looks like it's time to convert your rules into PF then start using PF. Dear Mailing List, Since this answer quite obviously isn't helping anyone - why can't everyone just be happy with software that actually works well on FreeBSD and disregard petty licensing differences - let us try and help instead. And if you can't help - please keep the 'noise' out of the lists. Sorry for possibly starting a flame here - what's important is to use FreeBSD and try to help to improve it. Give wise answers to people that ask - try not to tell someone to buy another car if that person wants to know how to open the door to the current one. Ipnat and FTP PASV is covered extensively in the ipfilter howto on http://www.obfuscation.org/ipf/ - this might give some pointers around using the FTP proxy in ipnat. You will need to combine this with ports allowed in ipfilter rules and also, the FTP daemon that you use will have to have the ability to control what ports to use for the data transfer. For instance, if you use pure-ftpd you will need to set the following parameter to be able to use the ports 1024-2024 for PASV data: PassivePortRange 1024 2024 The ipnat rule would be something like: rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1024 tcp And the ipfilter rule would be pass in quick on external_interface proto tcp from any to any port 1023 >< 2025 flags S keep state keep frags pass out quick on external_interface proto tcp from any port 1023 >< 2025 to any keep state With of course the ftp server port opened as well pass in quick on external_interface proto tcp from any to any port = ftp_server_port flags S keep state keep frags Good luck! /R i dont see how things are obvious for you as they not so obvious for me. first of all my ipf default policy to allow everything. so the original question is for ipnat and not for ipf now for non-passive (active) i put in these rules rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp rdr bce0 0/0 port ftp -> lama port ftp tcp and for pasv i still dont know what to do i've tried rdr bce0 0/0 port 49152-65534 -> lama port 65534 and in my ftp i said that this is range for pasv connections yet i'm able to make a connection (but that goes through ftp/tcp(21)) and whenever i enter into pasv it stops working... Hi Alexus, You need to RDR the ports that the ftp protocol use for the DATA transfer in PASV mode. You can find information about this at wikipedia -> http://en.wikipedia.org/wiki/File_Transfer_Protocol or by reading the FTP RFC. RDR is ipnat - the line goes into the ipnat configuration file. Good luck! /R ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
Le Sun, 17 May 2009 16:16:51 -0400, alexus : > i dont see how things are obvious for you as they not so obvious for > me. first of all my ipf default policy to allow everything. > > so the original question is for ipnat and not for ipf > > now for non-passive (active) i put in these rules > > rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp > rdr bce0 0/0 port ftp -> lama port ftp tcp > > and for pasv i still dont know what to do > > i've tried > > rdr bce0 0/0 port 49152-65534 -> lama port 65534 > > and in my ftp i said that this is range for pasv connections I don't think there is a way to redirect a ports ranges to a ports range with ipnat. For my ftp server I redirect each port (I use 3 to 30039 for FTP) with a rule: rdr vr0 0.0.0.0/0 port 21 -> 192.168.1.4 port 21 rdr vr0 0.0.0.0/0 port 3 -> 192.168.1.4 port 3 rdr vr0 0.0.0.0/0 port 30001 -> 192.168.1.4 port 30001 ... rdr vr0 0.0.0.0/0 port 30038 -> 192.168.1.4 port 30038 rdr vr0 0.0.0.0/0 port 30039 -> 192.168.1.4 port 30039 For ipnat see http://www.westworks.ch/~chris/netbsd/NetBSD-NAT-FTP-server.html Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
2009/5/16 Roger Olofsson <240olofs...@telia.com>: > > > Odhiambo ワシントン skrev: >> >> On Wed, May 13, 2009 at 9:09 PM, alexus wrote: >> >>> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: >>>> >>>> i need to redirect bunch of ports, or port-range from outside to my jail >>>> >>>> # /etc/rc.d/ipnat reload >>>> /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >>>> /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >>>> /etc/ipnat.rules >>>> 0 entries flushed from NAT table >>>> 2 entries flushed from NAT list >>>> syntax error error at "port-range", line 8 >>>> # grep port-range /etc/ipnat.rules >>>> rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp >>>> # >>>> >>>> >>>> >>>> -- >>>> http://alexus.org/ >>>> >>> that rule is wrong to begin with as rdr doesn't work with ranges, i >>> guess I need to use something else.. >>> >>> anyone done something like that? use ipnat to map range of ports? this >>> is for ftp PASV >>> >> >> Looks like it's time to convert your rules into PF then start using PF. >> >> > > Dear Mailing List, > > Since this answer quite obviously isn't helping anyone - why can't everyone > just be happy with software that actually works well on FreeBSD and > disregard petty licensing differences - let us try and help instead. And if > you can't help - please keep the 'noise' out of the lists. > > Sorry for possibly starting a flame here - what's important is to use > FreeBSD and try to help to improve it. Give wise answers to people that ask > - try not to tell someone to buy another car if that person wants to know > how to open the door to the current one. > > Ipnat and FTP PASV is covered extensively in the ipfilter howto on > http://www.obfuscation.org/ipf/ - this might give some pointers around using > the FTP proxy in ipnat. You will need to combine this with ports allowed in > ipfilter rules and also, the FTP daemon that you use will have to have the > ability to control what ports to use for the data transfer. For instance, if > you use pure-ftpd you will need to set the following parameter to be able to > use the ports 1024-2024 for PASV data: > PassivePortRange 1024 2024 > > The ipnat rule would be something like: > rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1024 > tcp > > And the ipfilter rule would be > pass in quick on external_interface proto tcp from any to any port 1023 >< > 2025 flags S keep state keep frags > pass out quick on external_interface proto tcp from any port 1023 >< 2025 to > any keep state > > With of course the ftp server port opened as well > pass in quick on external_interface proto tcp from any to any port = > ftp_server_port flags S keep state keep frags > > Good luck! > > /R > > i dont see how things are obvious for you as they not so obvious for me. first of all my ipf default policy to allow everything. so the original question is for ipnat and not for ipf now for non-passive (active) i put in these rules rdr bce0 0/0 port ftp-data -> lama port ftp-data tcp rdr bce0 0/0 port ftp -> lama port ftp tcp and for pasv i still dont know what to do i've tried rdr bce0 0/0 port 49152-65534 -> lama port 65534 and in my ftp i said that this is range for pasv connections yet i'm able to make a connection (but that goes through ftp/tcp(21)) and whenever i enter into pasv it stops working... -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
Odhiambo ワシントン skrev: On Wed, May 13, 2009 at 9:09 PM, alexus wrote: On Wed, May 13, 2009 at 12:58 PM, alexus wrote: i need to redirect bunch of ports, or port-range from outside to my jail # /etc/rc.d/ipnat reload /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f /etc/ipnat.rules 0 entries flushed from NAT table 2 entries flushed from NAT list syntax error error at "port-range", line 8 # grep port-range /etc/ipnat.rules rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp # -- http://alexus.org/ that rule is wrong to begin with as rdr doesn't work with ranges, i guess I need to use something else.. anyone done something like that? use ipnat to map range of ports? this is for ftp PASV Looks like it's time to convert your rules into PF then start using PF. Dear Mailing List, Since this answer quite obviously isn't helping anyone - why can't everyone just be happy with software that actually works well on FreeBSD and disregard petty licensing differences - let us try and help instead. And if you can't help - please keep the 'noise' out of the lists. Sorry for possibly starting a flame here - what's important is to use FreeBSD and try to help to improve it. Give wise answers to people that ask - try not to tell someone to buy another car if that person wants to know how to open the door to the current one. Ipnat and FTP PASV is covered extensively in the ipfilter howto on http://www.obfuscation.org/ipf/ - this might give some pointers around using the FTP proxy in ipnat. You will need to combine this with ports allowed in ipfilter rules and also, the FTP daemon that you use will have to have the ability to control what ports to use for the data transfer. For instance, if you use pure-ftpd you will need to set the following parameter to be able to use the ports 1024-2024 for PASV data: PassivePortRange 1024 2024 The ipnat rule would be something like: rdr external_interface 0.0.0.0/0 port 1024-2024 -> internal.ftp.ip port 1024 tcp And the ipfilter rule would be pass in quick on external_interface proto tcp from any to any port 1023 >< 2025 flags S keep state keep frags pass out quick on external_interface proto tcp from any port 1023 >< 2025 to any keep state With of course the ftp server port opened as well pass in quick on external_interface proto tcp from any to any port = ftp_server_port flags S keep state keep frags Good luck! /R ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
alexus said the following on 2009-05-13 20:09: On Wed, May 13, 2009 at 12:58 PM, alexus wrote: i need to redirect bunch of ports, or port-range from outside to my jail # /etc/rc.d/ipnat reload /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f /etc/ipnat.rules 0 entries flushed from NAT table 2 entries flushed from NAT list syntax error error at "port-range", line 8 # grep port-range /etc/ipnat.rules rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp # that rule is wrong to begin with as rdr doesn't work with ranges, i guess I need to use something else.. anyone done something like that? use ipnat to map range of ports? this is for ftp PASV Have you tried this? # $FreeBSD: src/share/examples/ipfilter/ipnat.conf.sample,v 1.1.34.1 2008/11/25 02:59:29 kensmith Exp $ map ed1 192.168.0.0/24 -> 192.168.1.110/32 portmap tcp/udp 4:65000 map ed1 192.168.0.0/24 -> 192.168.1.110/32 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
2009/5/14 alexus > 2009/5/14 Odhiambo ワシントン : > > > > > > On Wed, May 13, 2009 at 9:09 PM, alexus wrote: > >> > >> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: > >> > i need to redirect bunch of ports, or port-range from outside to my > jail > >> > > >> > # /etc/rc.d/ipnat reload > >> > /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. > >> > /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f > >> > /etc/ipnat.rules > >> > 0 entries flushed from NAT table > >> > 2 entries flushed from NAT list > >> > syntax error error at "port-range", line 8 > >> > # grep port-range /etc/ipnat.rules > >> > rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp > >> > # > >> > > >> > > >> > > >> > -- > >> > http://alexus.org/ > >> > > >> > >> that rule is wrong to begin with as rdr doesn't work with ranges, i > >> guess I need to use something else.. > >> > >> anyone done something like that? use ipnat to map range of ports? this > >> is for ftp PASV > > > > > > Looks like it's time to convert your rules into PF then start using PF. > > > > > > -- > > Best regards, > > Odhiambo WASHINGTON, > > Nairobi,KE > > +254733744121/+254722743223 > > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > > "Clothes make the man. Naked people have little or no influence on > > society." > > -- Mark Twain > > > > i'm pretty sure people have asked that in the past > > but i guess whats the pros and cons one vs another, we have 3 candidates > > ipfw - FreeBSD > ipf > pf - OpenBSD > > and why not all of 'em at once?:) bit a hassle to maintane but it > seems like ipf can't do what i need, yet pf can > ipfw i can limit traffic i dont know if ipf or pf can .. it seems like > they all have something that the other can't > They can co-exist when you know what you are doing, yes:) AFAIK, PF should have all that IPFW can do. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Clothes make the man. Naked people have little or no influence on society." -- Mark Twain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
2009/5/14 Odhiambo ワシントン : > > > On Wed, May 13, 2009 at 9:09 PM, alexus wrote: >> >> On Wed, May 13, 2009 at 12:58 PM, alexus wrote: >> > i need to redirect bunch of ports, or port-range from outside to my jail >> > >> > # /etc/rc.d/ipnat reload >> > /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. >> > /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f >> > /etc/ipnat.rules >> > 0 entries flushed from NAT table >> > 2 entries flushed from NAT list >> > syntax error error at "port-range", line 8 >> > # grep port-range /etc/ipnat.rules >> > rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp >> > # >> > >> > >> > >> > -- >> > http://alexus.org/ >> > >> >> that rule is wrong to begin with as rdr doesn't work with ranges, i >> guess I need to use something else.. >> >> anyone done something like that? use ipnat to map range of ports? this >> is for ftp PASV > > > Looks like it's time to convert your rules into PF then start using PF. > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254733744121/+254722743223 > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > "Clothes make the man. Naked people have little or no influence on > society." > -- Mark Twain > i'm pretty sure people have asked that in the past but i guess whats the pros and cons one vs another, we have 3 candidates ipfw - FreeBSD ipf pf - OpenBSD and why not all of 'em at once?:) bit a hassle to maintane but it seems like ipf can't do what i need, yet pf can ipfw i can limit traffic i dont know if ipf or pf can .. it seems like they all have something that the other can't -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
On Wed, May 13, 2009 at 9:09 PM, alexus wrote: > On Wed, May 13, 2009 at 12:58 PM, alexus wrote: > > i need to redirect bunch of ports, or port-range from outside to my jail > > > > # /etc/rc.d/ipnat reload > > /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. > > /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f > > /etc/ipnat.rules > > 0 entries flushed from NAT table > > 2 entries flushed from NAT list > > syntax error error at "port-range", line 8 > > # grep port-range /etc/ipnat.rules > > rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp > > # > > > > > > > > -- > > http://alexus.org/ > > > > that rule is wrong to begin with as rdr doesn't work with ranges, i > guess I need to use something else.. > > anyone done something like that? use ipnat to map range of ports? this > is for ftp PASV > Looks like it's time to convert your rules into PF then start using PF. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Clothes make the man. Naked people have little or no influence on society." -- Mark Twain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipnat port-range
On Wed, May 13, 2009 at 12:58 PM, alexus wrote: > i need to redirect bunch of ports, or port-range from outside to my jail > > # /etc/rc.d/ipnat reload > /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. > /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f > /etc/ipnat.rules > 0 entries flushed from NAT table > 2 entries flushed from NAT list > syntax error error at "port-range", line 8 > # grep port-range /etc/ipnat.rules > rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp > # > > > > -- > http://alexus.org/ > that rule is wrong to begin with as rdr doesn't work with ranges, i guess I need to use something else.. anyone done something like that? use ipnat to map range of ports? this is for ftp PASV -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipnat port-range
i need to redirect bunch of ports, or port-range from outside to my jail # /etc/rc.d/ipnat reload /etc/rc.d/ipnat: DEBUG: checkyesno: ipnat_enable is set to YES. /etc/rc.d/ipnat: DEBUG: run_rc_command: doit: /sbin/ipnat -F -C -f /etc/ipnat.rules 0 entries flushed from NAT table 2 entries flushed from NAT list syntax error error at "port-range", line 8 # grep port-range /etc/ipnat.rules rdr bce0 0/0 port-range 49152:65534 -> lama port-range 49152:65534 tcp # -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: ipnat dmz/internal network issue
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Steve Krawcke Sent: Tuesday, April 14, 2009 12:08 PM To: mail.list freebsd-questions Subject: ipnat dmz/internal network issue I have a gateway setup wing freebsd 7.1 gateway% uname -a FreeBSD gateway.latcha.com 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #0: Wed Feb 4 20:27:06 EST 2009 r...@gateway3.latcha.com:/usr/obj/usr/ src/sys/GATEWAY amd64 I have 1 external nic , and 2 internal, one for a DMZ and one for the rest of the network em0 is my external, em1 is my internal and em2 is my DMZ I am using ipf and ipnat to get access to the internet, but I am having an issue. I am able to get to the internet via nat on both em1 and em2. I am able to get port/IP redriection working from em0 -> em2 I can access the address space from em1 <-> em2 But if I go to one of the redirected IPs from em1 -> em0 -> em2 it fails. here are my ipnat rules map em1 from 10.75.0.1/24 to 10.73.0.1/16 -> 0/0 map em1 from 65.173.238.2/32 to 10.73.0.1/16 -> 0/0 map em0 from 10.73.0.1/16 to any -> 65.173.238.2/32 portmap tcp/udp auto map em0 from 10.75.0.1/24 to any -> 65.173.238.2/32 portmap tcp/udp auto rdr em0 from any to 65.173.238.27/32 port = 80 -> 10.75.0.29 port 80 tcp rdr em0 from any to 65.173.238.30/32 port = 80 -> 10.75.0.30 port 80 tcp rdr em0 from any to 65.173.238.29/32 port = 80 -> 10.75.0.26 port 80 tcp for now I have the firewall rules disabled, until I get this working, so I know it isn't a firewall issue. Any help would be appreciated. Steve K You want to get to a "public" address that really exists on your DMZ from your private LAN? Why not connect to the DMZ addresses directly? What you're trying to do is probably possible, but tricky in some cases and not possible with some/many commercial firewalls. I'll have to read this a few more times and draw a pretty picture "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipnat dmz/internal network issue
I have a gateway setup wing freebsd 7.1 gateway% uname -a FreeBSD gateway.latcha.com 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #0: Wed Feb 4 20:27:06 EST 2009 r...@gateway3.latcha.com:/usr/obj/usr/ src/sys/GATEWAY amd64 I have 1 external nic , and 2 internal, one for a DMZ and one for the rest of the network em0 is my external, em1 is my internal and em2 is my DMZ I am using ipf and ipnat to get access to the internet, but I am having an issue. I am able to get to the internet via nat on both em1 and em2. I am able to get port/IP redriection working from em0 -> em2 I can access the address space from em1 <-> em2 But if I go to one of the redirected IPs from em1 -> em0 -> em2 it fails. here are my ipnat rules map em1 from 10.75.0.1/24 to 10.73.0.1/16 -> 0/0 map em1 from 65.173.238.2/32 to 10.73.0.1/16 -> 0/0 map em0 from 10.73.0.1/16 to any -> 65.173.238.2/32 portmap tcp/udp auto map em0 from 10.75.0.1/24 to any -> 65.173.238.2/32 portmap tcp/udp auto rdr em0 from any to 65.173.238.27/32 port = 80 -> 10.75.0.29 port 80 tcp rdr em0 from any to 65.173.238.30/32 port = 80 -> 10.75.0.30 port 80 tcp rdr em0 from any to 65.173.238.29/32 port = 80 -> 10.75.0.26 port 80 tcp for now I have the firewall rules disabled, until I get this working, so I know it isn't a firewall issue. Any help would be appreciated. Steve K ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: problem redirecting with ipnat
Thank Roger - I am not sure what the difference is between those two. You solutions worked. Thanks - David Banning skrev: I am attempting to route local and external traffic to a second machine on port 85 to apache. The redirection works for external traffic coming in but I cannot seem to redirect local traffic to the secondary machine. Here are my ipnat rules; rdr fxp0 0/0 port 85 -> 192.168.1.10 port 85 rdr tun0 0/0 port 85 -> 192.168.1.10 port 85 rdr dc0 0/0 port 80 -> 192.168.1.1 port 8180 where 192.168.1.1 is the local machine and 192.168.1.10 is the secondary machine the third ipnat entry simply redirects all outgoing browser traffic to squid/dansguardian Here is my ifconfig; [r...@3s1 /etc]# ifconfig fxp0: flags=8843 mtu 1500 options=8 inet 209.161.205.12 netmask 0xff00 broadcast 209.161.205.255 ether 00:0d:60:09:fc:6e media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843 mtu 1500 options=8 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 ether 00:20:78:0e:13:d6 media: Ethernet autoselect (10baseT/UTP) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 tun0: flags=8051 mtu 1492 inet 209.161.205.12 --> 207.136.64.7 netmask 0x Opened by PID 356 [r...@3s1 /etc]# Externally, simply http://3s1.com:85 works but will not work locally - wondering if anyone could provide direction here. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Hello David, It looks like you are trying to port forward using a NAT tool(?) May I suggest that you use a port forward tool instead? Try portfwd-0.29 from ports. /R ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: problem redirecting with ipnat
David Banning skrev: I am attempting to route local and external traffic to a second machine on port 85 to apache. The redirection works for external traffic coming in but I cannot seem to redirect local traffic to the secondary machine. Here are my ipnat rules; rdr fxp0 0/0 port 85 -> 192.168.1.10 port 85 rdr tun0 0/0 port 85 -> 192.168.1.10 port 85 rdr dc0 0/0 port 80 -> 192.168.1.1 port 8180 where 192.168.1.1 is the local machine and 192.168.1.10 is the secondary machine the third ipnat entry simply redirects all outgoing browser traffic to squid/dansguardian Here is my ifconfig; [r...@3s1 /etc]# ifconfig fxp0: flags=8843 mtu 1500 options=8 inet 209.161.205.12 netmask 0xff00 broadcast 209.161.205.255 ether 00:0d:60:09:fc:6e media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843 mtu 1500 options=8 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 ether 00:20:78:0e:13:d6 media: Ethernet autoselect (10baseT/UTP) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 tun0: flags=8051 mtu 1492 inet 209.161.205.12 --> 207.136.64.7 netmask 0x Opened by PID 356 [r...@3s1 /etc]# Externally, simply http://3s1.com:85 works but will not work locally - wondering if anyone could provide direction here. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Hello David, It looks like you are trying to port forward using a NAT tool(?) May I suggest that you use a port forward tool instead? Try portfwd-0.29 from ports. /R ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
problem redirecting with ipnat
I am attempting to route local and external traffic to a second machine on port 85 to apache. The redirection works for external traffic coming in but I cannot seem to redirect local traffic to the secondary machine. Here are my ipnat rules; rdr fxp0 0/0 port 85 -> 192.168.1.10 port 85 rdr tun0 0/0 port 85 -> 192.168.1.10 port 85 rdr dc0 0/0 port 80 -> 192.168.1.1 port 8180 where 192.168.1.1 is the local machine and 192.168.1.10 is the secondary machine the third ipnat entry simply redirects all outgoing browser traffic to squid/dansguardian Here is my ifconfig; [r...@3s1 /etc]# ifconfig fxp0: flags=8843 mtu 1500 options=8 inet 209.161.205.12 netmask 0xff00 broadcast 209.161.205.255 ether 00:0d:60:09:fc:6e media: Ethernet autoselect (10baseT/UTP) status: active dc0: flags=8843 mtu 1500 options=8 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 ether 00:20:78:0e:13:d6 media: Ethernet autoselect (10baseT/UTP) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 tun0: flags=8051 mtu 1492 inet 209.161.205.12 --> 207.136.64.7 netmask 0x Opened by PID 356 [r...@3s1 /etc]# Externally, simply http://3s1.com:85 works but will not work locally - wondering if anyone could provide direction here. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
puzzling ipnat behavior
i've asked this question before, but i must have been unclear. i hope this is better: i'm puzzled by how ipnat works, particularly by the fact that when the ip's on an inside nic are mapped to the ip on my outside nic, i have to configure ipfilter to allow any ip that might hit the outside nic access to the ip's on the inside nic. so, where wpi0 is the outside nic & the 1st /24 in 10.0.0.0 contains the ip of the inside nic & everything behind it: ipnat.rules: allow wpi0 10.0.0.0/24 -> /32 ipf.rules:pass in quick from any to 10.0.0.0/24 i should have thought that since everything coming from outside to 10.0.0.0/24 is addressed to the this would be sufficient: pass in quick from to 10.0.0.0/24 but it isn't. what's wrong w/ my thinking? & why isn't this rule a security hazard? david coder network engineer emeritus ntt/verio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfilter, ipnat, and if driver ath [should have been age]: what's just changed?
+++ dacoder [01/03/09 13:17 -0500]: updating my system friday from the feb 7 version of 7.1 to the latest broke tcp and udp (but *not* icmp) over ipnat, which had worked forever with my current ipfilter rules and ipnat mapping rules, which are pretty simple. what has changed? /etc/ipnat.rules: map age0 10.0.0.0/24 -> /32 @ the top of /etc/ipf.rules: pass out quick on age0 proto tcp/udp from any to any keep state keep frags pass out quick on age0 proto icmp from any to any keep state keep frags that used to work. now it doesn't, witness ipmon: 01/03/2009 13:07:46.274707 age0 @0:28 b 74.125.93.102,80 -> 10.0.0.253,2914 PR tcp len 20 48 -AS IN NAT what's changed? ipf? ipnat? age? am i using an obsolete & therefore unworkable set of ipfilter rules? icmp still works, btw. i'd be grateful for any help. thx. david coder network engineer emeritus ntt/verio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" i meant, of course, age, not ath in my subject line. sorry for the confusion. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipfilter, ipnat, and if driver ath: what's just changed?
updating my system friday from the feb 7 version of 7.1 to the latest broke tcp and udp (but *not* icmp) over ipnat, which had worked forever with my current ipfilter rules and ipnat mapping rules, which are pretty simple. what has changed? /etc/ipnat.rules: map age0 10.0.0.0/24 -> /32 @ the top of /etc/ipf.rules: pass out quick on age0 proto tcp/udp from any to any keep state keep frags pass out quick on age0 proto icmp from any to any keep state keep frags that used to work. now it doesn't, witness ipmon: 01/03/2009 13:07:46.274707 age0 @0:28 b 74.125.93.102,80 -> 10.0.0.253,2914 PR tcp len 20 48 -AS IN NAT what's changed? ipf? ipnat? age? am i using an obsolete & therefore unworkable set of ipfilter rules? icmp still works, btw. i'd be grateful for any help. thx. david coder network engineer emeritus ntt/verio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Dumb ipnat question
I didn't find "IPFILTER" in either the GENERIC or NOTES kernel files, so no, I
didn't compile it in. I was wondering about it, though, based on older kernel
help messages I found on the net (> 10 years old).
I'll give both of those options a try. Thanks!
- Michael
From: Odhiambo Washington [mailto:odhia...@gmail.com]
Sent: Fri 1/23/2009 6:39 AM
To: Michael VanLoon
Cc: freebsd-questions@freebsd.org
Subject: Re: Dumb ipnat question
On Fri, Jan 23, 2009 at 2:43 AM, Michael VanLoon
wrote:
I have built a simple 7.1 system in a VM. I built a custom kernel that
is basically GENERIC minus some hardware stuff I don't need, plus a few things
that look cool.
When I attempt to run the ipnat command, I get the error:
/dev/ipnat: open: No such file or directory
Sure enough, there are no ip* devices in /dev/. In the "olden days",
when I used to do a lot of BSD hacking, you used MAKEDEV to make the devices
you wanted. Nowadays, it's done with devfs. I believe the upshot is that it's
supposed to be semi-automagic, isn't it?
Anyway, what am I doing wrong? What do I need to configure to use
ipnat and then later ipfw or ipfilter?
Did you load the modules?
ipl_load="YES" in /boot/loader.conf and reboot OR
kldload ipl
If you did not compile IPFILTER in the kernel, then you must load the module.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"The only time a woman really succeeds in changing a man is when he is a baby."
- Natalie Wood
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Dumb ipnat question
On Fri, Jan 23, 2009 at 2:43 AM, Michael VanLoon < micha...@noncomposmentis.net> wrote: > I have built a simple 7.1 system in a VM. I built a custom kernel that is > basically GENERIC minus some hardware stuff I don't need, plus a few things > that look cool. > > When I attempt to run the ipnat command, I get the error: > /dev/ipnat: open: No such file or directory > > Sure enough, there are no ip* devices in /dev/. In the "olden days", when > I used to do a lot of BSD hacking, you used MAKEDEV to make the devices you > wanted. Nowadays, it's done with devfs. I believe the upshot is that it's > supposed to be semi-automagic, isn't it? > > Anyway, what am I doing wrong? What do I need to configure to use ipnat > and then later ipfw or ipfilter? Did you load the modules? ipl_load="YES" in /boot/loader.conf and reboot OR kldload ipl If you did not compile IPFILTER in the kernel, then you must load the module. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "The only time a woman really succeeds in changing a man is when he is a baby." - Natalie Wood ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Dumb ipnat question
*ping* From: owner-freebsd-questi...@freebsd.org on behalf of Michael VanLoon Sent: Thu 1/22/2009 3:43 PM To: freebsd-questions@freebsd.org Subject: Dumb ipnat question I have built a simple 7.1 system in a VM. I built a custom kernel that is basically GENERIC minus some hardware stuff I don't need, plus a few things that look cool. When I attempt to run the ipnat command, I get the error: /dev/ipnat: open: No such file or directory Sure enough, there are no ip* devices in /dev/. In the "olden days", when I used to do a lot of BSD hacking, you used MAKEDEV to make the devices you wanted. Nowadays, it's done with devfs. I believe the upshot is that it's supposed to be semi-automagic, isn't it? Anyway, what am I doing wrong? What do I need to configure to use ipnat and then later ipfw or ipfilter? - Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Dumb ipnat question
I have built a simple 7.1 system in a VM. I built a custom kernel that is basically GENERIC minus some hardware stuff I don't need, plus a few things that look cool. When I attempt to run the ipnat command, I get the error: /dev/ipnat: open: No such file or directory Sure enough, there are no ip* devices in /dev/. In the "olden days", when I used to do a lot of BSD hacking, you used MAKEDEV to make the devices you wanted. Nowadays, it's done with devfs. I believe the upshot is that it's supposed to be semi-automagic, isn't it? Anyway, what am I doing wrong? What do I need to configure to use ipnat and then later ipfw or ipfilter? - Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipnat: flush one specific active session
Hi, I'm using release 7.0 and looking for an idea to flush one specific active ipnat session, such like these one: MAP 192.168.0.8142667 <- -> 82.229.222.721746 [88.191.60.158 993] MAP 192.168.0.8140045 <- -> 82.229.222.744303 [66.163.181.189 5050] MAP 192.168.0.8147082 <- -> 82.229.222.720032 [66.163.181.168 5050] 192.168.0.81,72.14.221.109 -> 82.229.222.7 (use = 2 hv = 0) 192.168.0.81,88.191.60.158 -> 82.229.222.7 (use = 2 hv = 0) 192.168.0.81,212.27.60.48 -> 82.229.222.7 (use = 26 hv = 0) 192.168.0.81,66.163.181.189 -> 82.229.222.7 (use = 2 hv = 0) 192.168.0.81,66.163.181.168 -> 82.229.222.7 (use = 2 hv = 0) thanks for helps regards -- Richard VENNE IT Administrator Administrateur réseaux système & sécurité Afin de respecter de l'environnement, merci de n'imprimer cet email qu'en cas de nécessité absolue. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat gre and pptp
Hi. Does anybody know how to make ipnat map/or proxying pptp traffic ? Problem is: mpd server with pptp - somwhere in internet. Gateway with ipnat. Clients behind gateway can not access pptp server at same time. I found something like: map bce1 0/0 -> 0/0 proxy port 1723 pptp/tcp but it doesn`t work :-( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat
Uses pf instead but I know the following works: ### /etc/pf.conf ### nat on dc0 from fxp0:network to any -> (dc0) ### /etc/rc.conf ### pf_enable="YES" After editing the files, run '/etc/rc.d/pf start' ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat
anyone else? On Tue, May 27, 2008 at 1:36 AM, alexus <[EMAIL PROTECTED]> wrote: > thats same as what I have > > map dc0 192.168.2.0/24 -> 0/32 > > > > > 2008/5/26 Necati Ersen SISECI <[EMAIL PROTECTED]>: >> Nat rule should be like this. >> >> map dc0 192.168.2.0/24 -> External_IP/32 >> >> >> alexus yazmış: >>> >>> hi >>> >>> i cant figure something out, maybe someone can help me... >>> >>> i have two interfaces on my 7.0-RELEASE-p1 dc0 and fxp0, dc0 has >>> public IP, and fxp0 is internal, my ipnat.rules looks like this >>> >>> map dc0 192.168.2.0/24 -> 0/32 >>> >>> su-3.2# ipnat -l >>> List of active MAP/Redirect filters: >>> map dc0 192.168.2.0/24 -> 0.0.0.0/32 >>> >>> List of active sessions: >>> su-3.2# >>> >>> NAT on 192.168.2.0/24 doesn't seem to be working at all :( >>> >>> >>> >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "[EMAIL PROTECTED]" >> > > > > -- > http://alexus.org/ > -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat
hi i cant figure something out, maybe someone can help me... i have two interfaces on my 7.0-RELEASE-p1 dc0 and fxp0, dc0 has public IP, and fxp0 is internal, my ipnat.rules looks like this map dc0 192.168.2.0/24 -> 0/32 su-3.2# ipnat -l List of active MAP/Redirect filters: map dc0 192.168.2.0/24 -> 0.0.0.0/32 List of active sessions: su-3.2# NAT on 192.168.2.0/24 doesn't seem to be working at all :( -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat
su-3.2# ipnat -l List of active MAP/Redirect filters: map fxp0 172.16.172.16/32 -> 0.0.0.0/32 rdr fxp0 0.0.0.0/0 port 22 -> 172.16.172.16 port 22 tcp List of active sessions: su-3.2# this configuration seems to be working just like i wanted it, i just wanted to make sure its correct in terms of networking first rule provides "NAT" for whatever coming out from 172.16.172.16/32 to everything outside rdr rule is redirects port 22 tcp from outside to 172.16.172.16/32 a little confusion i get is due to in first rule there is 0.0.0.0/32 and in second rule there is 0.0.0.0/0 On Wed, Apr 30, 2008 at 1:35 AM, Olivier GARNIER <[EMAIL PROTECTED]> wrote: > Other informations ? > Have you try to login in ssh from your ssh server computer ? > Is it working ? > > Have you try nmap on your ssh server computer tu see if 22 port is open ? > Can you show us what is the ssh commande you type to try to connect ? > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de alexus > Envoyé : mercredi 30 avril 2008 03:35 > À : freebsd-questions@freebsd.org > Objet : Re: ipnat > > > anyone? > > On Tue, Apr 29, 2008 at 5:33 PM, alexus <[EMAIL PROTECTED]> wrote: > > i can't seem to figure this out > > > > su-3.2# ipnat -l > > List of active MAP/Redirect filters: > > rdr fxp0 0.0.0.0/32 port 22 -> 172.16.172.16 port 22 tcp > > > > List of active sessions: > > su-3.2# netstat -tan | grep LISTEN | grep 22 > > tcp4 0 0 172.16.172.16.22 *.*LISTEN > > su-3.2# > > > > i'm trying to ssh from outside, no luck :( > > > > -- > > http://alexus.org/ > > > > > > -- > http://alexus.org/ > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipnat
Other informations ? Have you try to login in ssh from your ssh server computer ? Is it working ? Have you try nmap on your ssh server computer tu see if 22 port is open ? Can you show us what is the ssh commande you type to try to connect ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de alexus Envoyé : mercredi 30 avril 2008 03:35 À : freebsd-questions@freebsd.org Objet : Re: ipnat anyone? On Tue, Apr 29, 2008 at 5:33 PM, alexus <[EMAIL PROTECTED]> wrote: > i can't seem to figure this out > > su-3.2# ipnat -l > List of active MAP/Redirect filters: > rdr fxp0 0.0.0.0/32 port 22 -> 172.16.172.16 port 22 tcp > > List of active sessions: > su-3.2# netstat -tan | grep LISTEN | grep 22 > tcp4 0 0 172.16.172.16.22 *.*LISTEN > su-3.2# > > i'm trying to ssh from outside, no luck :( > > -- > http://alexus.org/ > -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat
anyone? On Tue, Apr 29, 2008 at 5:33 PM, alexus <[EMAIL PROTECTED]> wrote: > i can't seem to figure this out > > su-3.2# ipnat -l > List of active MAP/Redirect filters: > rdr fxp0 0.0.0.0/32 port 22 -> 172.16.172.16 port 22 tcp > > List of active sessions: > su-3.2# netstat -tan | grep LISTEN | grep 22 > tcp4 0 0 172.16.172.16.22 *.*LISTEN > su-3.2# > > i'm trying to ssh from outside, no luck :( > > -- > http://alexus.org/ > -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat
i can't seem to figure this out su-3.2# ipnat -l List of active MAP/Redirect filters: rdr fxp0 0.0.0.0/32 port 22 -> 172.16.172.16 port 22 tcp List of active sessions: su-3.2# netstat -tan | grep LISTEN | grep 22 tcp4 0 0 172.16.172.16.22 *.*LISTEN su-3.2# i'm trying to ssh from outside, no luck :( -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Difficulties establishing VPN tunnel with IPNAT
> -Original Message- > From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 27, 2007 7:07 AM > To: Ted Mittelstaedt > Cc: FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > > On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: > >> -Original Message- > >> From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] > >> Sent: Sunday, November 25, 2007 4:48 AM > >> To: Ted Mittelstaedt > >> Cc: FreeBSD Questions > >> Subject: Re: Difficulties establishing VPN tunnel with IPNAT > >> > >> > >> Perhaps, but I'v heard a lot of good things about IPF and IPNAT, > >> especially since the nat is all in kernel where as natd is > >> userland, so > >> there is a slight performance boost possibly there as well.. > >> > > > > I will address this one point here since it's enough to make > > someone scream, it's such an old chestnut. > > > > natd is always criticized because going to userland is slow. So, > > people who have slowness problems think that is the issue. > > > > In reality, the problem is that the DEFAULT setup and man page > > examples for natd use the following ipfw divert rule: > > > >/sbin/ipfw -f flush > >/sbin/ipfw add divert natd all from any to any via ed0 > >/sbin/ipfw add pass all from any to any > > > > This produces a rule such as the following: > > > > 00050 divert 8668 ip from any to any via de0 > > > > The problem though, is this is wrong. What it is doing is that > > ALL traffic that comes into and out of the box - no matter what > > the source and destination is - will be passed to the natd translator. > > > > What you SHOULD be using is a set of commands such: > > > > ipfw add divert natd ip from any to [outside IP address] in recv > > [outside > > interface] > > ipfw add divert natd ip from not [outside IP address] to any out recv > > [inside interface] xmit [outside interface] > > That does make a lot of sense! > > How ever the 2nd rule is slightly confusing me.. Shouldn't it be > something > like: divert natd ip from [internal net range] to any out via > [outside if]? > As I recall the "via" keyword was a later addition to ipfw, the way you wrote it is the same thing - the earlier form I used works on both old and new ipfw (not that it probably matters much nowadays) Use whichever is more clear to you - the gist of it is to use the ipfw rulesets to keep the traffic that doesen't need attention of natd, out of userland. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: -Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 4:48 AM To: Ted Mittelstaedt Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Perhaps, but I'v heard a lot of good things about IPF and IPNAT, especially since the nat is all in kernel where as natd is userland, so there is a slight performance boost possibly there as well.. I will address this one point here since it's enough to make someone scream, it's such an old chestnut. natd is always criticized because going to userland is slow. So, people who have slowness problems think that is the issue. In reality, the problem is that the DEFAULT setup and man page examples for natd use the following ipfw divert rule: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any This produces a rule such as the following: 00050 divert 8668 ip from any to any via de0 The problem though, is this is wrong. What it is doing is that ALL traffic that comes into and out of the box - no matter what the source and destination is - will be passed to the natd translator. What you SHOULD be using is a set of commands such: ipfw add divert natd ip from any to [outside IP address] in recv [outside interface] ipfw add divert natd ip from not [outside IP address] to any out recv [inside interface] xmit [outside interface] That does make a lot of sense! How ever the 2nd rule is slightly confusing me.. Shouldn't it be something like: divert natd ip from [internal net range] to any out via [outside if]? Cheers, J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Difficulties establishing VPN tunnel with IPNAT
> -Original Message- > From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] > Sent: Sunday, November 25, 2007 4:48 AM > To: Ted Mittelstaedt > Cc: FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > Perhaps, but I'v heard a lot of good things about IPF and IPNAT, > especially since the nat is all in kernel where as natd is userland, so > there is a slight performance boost possibly there as well.. > I will address this one point here since it's enough to make someone scream, it's such an old chestnut. natd is always criticized because going to userland is slow. So, people who have slowness problems think that is the issue. In reality, the problem is that the DEFAULT setup and man page examples for natd use the following ipfw divert rule: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any This produces a rule such as the following: 00050 divert 8668 ip from any to any via de0 The problem though, is this is wrong. What it is doing is that ALL traffic that comes into and out of the box - no matter what the source and destination is - will be passed to the natd translator. What you SHOULD be using is a set of commands such: ipfw add divert natd ip from any to [outside IP address] in recv [outside interface] ipfw add divert natd ip from not [outside IP address] to any out recv [inside interface] xmit [outside interface] What these rules do is ONLY pass traffic to natd that needs natting - that is, traffic that is passing through the FreeBSD box onward to the Internet. Traffic that is broadcast, or traffic that is a destination of the nat box itself (such as if the nat box is also running a proxy server, mailserver, fileserver, etc.) or sourced from the nat box, is NOT passed to natd. There are some pretty fast Internet connections circuits out there these days - DSL and Cable can both offer up to 10Mbt of bandwidth. But, these are nothing compared to the bandwidth of a 100BaseT ethernet card, or the PCI bus of a computer. If someone is saturating their natd with filesharing traffic to the nat box, why then no wonder they are seeing things run slow. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott skrev: On 26/11/2007, at 4:47 AM, Roger Olofsson wrote: Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger Yes, that is what I meant by 'static ip' I could allow all gre from the specific ip address but I would prefer that gre traffic be allowed from a host only when an existing connection has been opened to it.. 10.0.0.2 is a CVS server. It seems to me that natd works better with ipsec ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hello again Jerahmy, It would seem that there is a PPTP proxy in ipf that you might want to try as well. The syntax would be: map fxp1 10.0.0.0/0 -> 0/32 proxy port 1723 pptp/tcp Good luck! /Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
On 26/11/2007, at 4:47 AM, Roger Olofsson wrote: Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger Yes, that is what I meant by 'static ip' I could allow all gre from the specific ip address but I would prefer that gre traffic be allowed from a host only when an existing connection has been opened to it.. 10.0.0.2 is a CVS server. It seems to me that natd works better with ipsec ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott skrev: On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: Hello Jerahmy, (sorry for top-posting, btw). Gre is protocol 47. In your firewall rules you only allow/block protocols tcp/udp/icmp. If you want to use PPTP you will need to allow both the port and the protocol for it. I put: pass out quick on fxp1 proto gre from any to any keep state This allowed the PPTP connection to establish, how ever trying to use apps over that connection resulted in: fxp1 (block all rule) b x.x.x.x -> 10.0.0.3 PR gre len 20 (53) (frag 57516:[EMAIL PROTECTED]) IN bad NAT By placing to rule: pass in quick on fxp1 proto gre from any to any and allowing frags everything started working properly, but allowing all gre traffic in doesn't seem like a good idea.. Is there any way to make this work without putting static ip address rules or allowing all traffic? In your original question you mentioned having problems with CVS. From the looks of it, you redirect CVS to 10.0.0.2, meaning that all users on that machine can use CVS. The redirect rule is supposed to redirect connections to CVS on the external interface to 10.0.0.2 on the internal lan, where the CVS server is actually running. Cheers, J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: Hello Jerahmy, (sorry for top-posting, btw). Gre is protocol 47. In your firewall rules you only allow/block protocols tcp/udp/icmp. If you want to use PPTP you will need to allow both the port and the protocol for it. I put: pass out quick on fxp1 proto gre from any to any keep state This allowed the PPTP connection to establish, how ever trying to use apps over that connection resulted in: fxp1 (block all rule) b x.x.x.x -> 10.0.0.3 PR gre len 20 (53) (frag 57516:[EMAIL PROTECTED]) IN bad NAT By placing to rule: pass in quick on fxp1 proto gre from any to any and allowing frags everything started working properly, but allowing all gre traffic in doesn't seem like a good idea.. Is there any way to make this work without putting static ip address rules or allowing all traffic? In your original question you mentioned having problems with CVS. From the looks of it, you redirect CVS to 10.0.0.2, meaning that all users on that machine can use CVS. The redirect rule is supposed to redirect connections to CVS on the external interface to 10.0.0.2 on the internal lan, where the CVS server is actually running. Cheers, J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott skrev: The Sonic Wall client doesn't trigger ANY firewall rules, which is why I thought there must be something going wrong with the NAT. It actually establishes the tunnel okay but never gets an IP address, from my understanding this client uses some sort of dhcp over ipsec to provision the client address.. What I am getting using the standard PPTP method are a bunch of hits: fxp1 @0:25 b x.x.x.x -> 10.0.0.3 PR gre len 20 (93) IN NAT (rule @0:25 is the final 'block all' rule) What is protocol 'gre'? Why is a NAT'd packet getting blocked?! Thanks! J. On 25/11/2007, at 9:09 AM, Roger Olofsson wrote: Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have:
Re: Difficulties establishing VPN tunnel with IPNAT
Perhaps, but I'v heard a lot of good things about IPF and IPNAT, especially since the nat is all in kernel where as natd is userland, so there is a slight performance boost possibly there as well.. It is not difficult to switch back to my old set up, but I thought I would give it a chance, since I'v not used IPF before I figured it was likely something I'v done wrong rather than something wrong with the program! I like the rule format in ipf and how simple it is to change ipnat rules on the fly without dumping current mappings. And it SHOULD work just as well as natd? On 25/11/2007, at 10:42 PM, Ted Mittelstaedt wrote: That's an absolutely terrible reason. On FreeBSD and the other open source operating systems there are always multiple ways to solve a problem. While in a few situations it can definitively be stated that one program is better (for example, sendmail is obviously superior to qmail) in most situations the different programs are merely different. The "better" one is the one that works for YOUR problem the best. Not the one that works for someone else's problem. ipf is no better than ipfw for most purposes, it's just different. In this case, you had a working solution and now you don't. So, clearly, in your case, it's WORSE. Ted -Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 2:12 AM To: Ted Mittelstaedt Cc: Roger Olofsson; FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Well the main reason is that it was part of IPF, and IPF seemed to be better than IPFW? So when trying out IPF I also used IPNAT.. I had no problems with natd but it seemed I should use the IPNAT if I was using IPF? On 25/11/2007, at 8:00 PM, Ted Mittelstaedt wrote: The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson Sent: Saturday, November 24, 2007 2:09 PM To: Jerahmy Pocott Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick o
RE: Difficulties establishing VPN tunnel with IPNAT
That's an absolutely terrible reason. On FreeBSD and the other open source operating systems there are always multiple ways to solve a problem. While in a few situations it can definitively be stated that one program is better (for example, sendmail is obviously superior to qmail) in most situations the different programs are merely different. The "better" one is the one that works for YOUR problem the best. Not the one that works for someone else's problem. ipf is no better than ipfw for most purposes, it's just different. In this case, you had a working solution and now you don't. So, clearly, in your case, it's WORSE. Ted > -Original Message- > From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] > Sent: Sunday, November 25, 2007 2:12 AM > To: Ted Mittelstaedt > Cc: Roger Olofsson; FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > Well the main reason is that it was part of IPF, and IPF seemed to be > better > than IPFW? So when trying out IPF I also used IPNAT.. I had no problems > with natd but it seemed I should use the IPNAT if I was using IPF? > > On 25/11/2007, at 8:00 PM, Ted Mittelstaedt wrote: > > > > > The other thing you can do is simply switch back to natd. > > > > You didn't say why you decided to switch in the first place. > > > > A lot of times people switch because they are having problems > > with natd. Are you? If not, you should be aware that natd > > does support more kinds of protocol translations. > > > > Ted > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of Roger > >> Olofsson > >> Sent: Saturday, November 24, 2007 2:09 PM > >> To: Jerahmy Pocott > >> Cc: FreeBSD Questions > >> Subject: Re: Difficulties establishing VPN tunnel with IPNAT > >> > >> > >> Hello again Jerahmy, > >> > >> I would suggest that you verify what port(s) and protocol(s) > >> 'Sonic Wall > >> Global VPN Client' needs to work. > >> > >> I would also suggest that you look in the logfile from ipf to see > >> what > >> it's blocking and when. > >> > >> My guess is that the VPN client is using a protocol like IPSEC (IP > >> protocol 50) and possibly port 500 (IKE) for which you will have to > >> activate the ipnat proxy. > >> > >> map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp > >> > >> You might also try to disable the blocking of fragged packets. For > >> some > >> VPN clients this can cause problems. > >> > >> Good luck! > >> > >> /Roger > >> > >> > >> > >> Jerahmy Pocott skrev: > >>> Sorry let me clarify.. > >>> > >>> There are two issues, one is connecting to any external VPN, with no > >>> filter I > >>> can establish a connection to PPTP VPN, but the 'Sonic Wall > >>> Global VPN > >>> Client' > >>> still fails to connect even with no filter rules. > >>> > >>> The redirect for the CVS server has an ipf rule to allow > >> traffic on that > >>> port, but > >>> users are getting connection refused messages. > >>> > >>> I will include my ipf rules, I clearly need some sort of rule to > >>> allow > >>> inbound for > >>> the VPN to work, though I think the ipnat is breaking the Sonic Wall > >>> client. Which > >>> is strange because everything worked fine with ipfw/natd. > >>> > >>> Here are my ipf rules: > >>> > >>> # Allow all in/out on internel interface > >>> pass in quick on fxp0 all > >>> pass out quick on fxp0 all > >>> > >>> # Allow all in/out on loopback interface > >>> pass in quick on lo0 all > >>> pass out quick on lo0 all > >>> > >>> # Allow all out-going on public interface and keep state > >>> pass out quick on fxp1 proto tcp from any to any flags S keep state > >>> pass out quick on fxp1 proto udp from any to any keep state > >>> pass out quick on fxp1 proto icmp from any to any keep state > >>> > >>> # Block all inbound traffic from non-routable or reserved address > >>> spaces > >>> block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 > >> private IP > >>> block in
Re: Difficulties establishing VPN tunnel with IPNAT
The Sonic Wall client doesn't trigger ANY firewall rules, which is why I thought there must be something going wrong with the NAT. It actually establishes the tunnel okay but never gets an IP address, from my understanding this client uses some sort of dhcp over ipsec to provision the client address.. What I am getting using the standard PPTP method are a bunch of hits: fxp1 @0:25 b x.x.x.x -> 10.0.0.3 PR gre len 20 (93) IN NAT (rule @0:25 is the final 'block all' rule) What is protocol 'gre'? Why is a NAT'd packet getting blocked?! Thanks! J. On 25/11/2007, at 9:09 AM, Roger Olofsson wrote: Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules
Re: Difficulties establishing VPN tunnel with IPNAT
Well the main reason is that it was part of IPF, and IPF seemed to be better than IPFW? So when trying out IPF I also used IPNAT.. I had no problems with natd but it seemed I should use the IPNAT if I was using IPF? On 25/11/2007, at 8:00 PM, Ted Mittelstaedt wrote: The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson Sent: Saturday, November 24, 2007 2:09 PM To: Jerahmy Pocott Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all r
RE: Difficulties establishing VPN tunnel with IPNAT
The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson > Sent: Saturday, November 24, 2007 2:09 PM > To: Jerahmy Pocott > Cc: FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > Hello again Jerahmy, > > I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall > Global VPN Client' needs to work. > > I would also suggest that you look in the logfile from ipf to see what > it's blocking and when. > > My guess is that the VPN client is using a protocol like IPSEC (IP > protocol 50) and possibly port 500 (IKE) for which you will have to > activate the ipnat proxy. > > map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp > > You might also try to disable the blocking of fragged packets. For some > VPN clients this can cause problems. > > Good luck! > > /Roger > > > > Jerahmy Pocott skrev: > > Sorry let me clarify.. > > > > There are two issues, one is connecting to any external VPN, with no > > filter I > > can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN > > Client' > > still fails to connect even with no filter rules. > > > > The redirect for the CVS server has an ipf rule to allow > traffic on that > > port, but > > users are getting connection refused messages. > > > > I will include my ipf rules, I clearly need some sort of rule to allow > > inbound for > > the VPN to work, though I think the ipnat is breaking the Sonic Wall > > client. Which > > is strange because everything worked fine with ipfw/natd. > > > > Here are my ipf rules: > > > > # Allow all in/out on internel interface > > pass in quick on fxp0 all > > pass out quick on fxp0 all > > > > # Allow all in/out on loopback interface > > pass in quick on lo0 all > > pass out quick on lo0 all > > > > # Allow all out-going on public interface and keep state > > pass out quick on fxp1 proto tcp from any to any flags S keep state > > pass out quick on fxp1 proto udp from any to any keep state > > pass out quick on fxp1 proto icmp from any to any keep state > > > > # Block all inbound traffic from non-routable or reserved address spaces > > block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 > private IP > > block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 > private IP > > block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 > private IP > > block in quick on fxp1 from 127.0.0.0/8 to any #loopback > > block in quick on fxp1 from 0.0.0.0/8 to any #loopback > > block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config > > block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs > > block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster > > interconnect > > block in quick on fxp1 from 224.0.0.0/3 to any #Class D & > E multicast > > # Block frags > > block in quick on fxp1 all with frags > > # Block short tcp packets > > block in quick on fxp1 proto tcp all with short > > # block source routed packets > > block in quick on fxp1 all with opt lsrr > > block in quick on fxp1 all with opt ssrr > > # Block anything with special options > > block in quick on fxp1 all with ipopts > > # Block public pings > > block in quick on fxp1 proto icmp all icmp-type 8 > > # Block ident > > block in quick on fxp1 proto tcp from any to any port = 113 > > # Block all Netbios service. 137=name, 138=datagram, 139=session > > # Block MS/Windows hosts2 name server requests 81 > > block in quick on fxp1 proto tcp/udp from any to any port = 137 > > block in quick on fxp1 proto tcp/udp from any to any port = 138 > > block in quick on fxp1 proto tcp/udp from any to any port = 139 > > block in quick on fxp1 proto tcp/udp from any to any port = 81 > > > > # Allow CVS access > > pass in quick on fxp1 proto tcp/udp from any to any port = 2401 > > > > # Logged Blocking Rules # > > > > # Block nmap OS fingerprint attempts > > block in log first quick on fxp1 proto tcp from any to any flags FUP > > > > # Block all other in coming traffic > > block in log first quick on fxp1 all > >
Re: Difficulties establishing VPN tunnel with IPNAT
Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 -> 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 -> 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 -> 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists
Re: Difficulties establishing VPN tunnel with IPNAT
Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D & E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 -> 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 -> 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 -> 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
Sorry, the issue is connecting TO any out side VPN, not connecting from outside. I tested with ipf set to accept all and it still failed, so I figured it must be ipnat.. I had no issues when using ipfw/natd. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 -> 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 -> 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 -> 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Difficulties establishing VPN tunnel with IPNAT
Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f '. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 -> 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 -> 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 -> 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Difficulties establishing VPN tunnel with IPNAT
Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 -> 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 -> 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 -> 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
System Freeze w/ IPNAT
We have a box doing routing and NAT using IPNAT that freezes up after a couple days. We have swapped out the Box with a different model and continue to see the same problem. Symptoms are that the machine no longer passes traffic and the console is unresponsive to any keyboard input (not even ctrl-alt-del).What we are doing is just Nat'ing a portion of the network traffic (we want to pass certain areas of the network address space un-modified).We are pretty certain that our problem has something to do with ipnat becasue we are using other BSD boxes as routers without issue. We have seen a couple: bge1: watchdog timeout -- resetting bge1: link state changed to DOWN bge1: link state changed to UP in the log file that were not present on the first machine because it had a different set of network cards... I mention it only for completeness. Any help that someone can provide would be appreciated. Additional pertinent info is provided below. Thanks Ted Relevant Kernel Options: optionsIPFILTER #ipfilter support optionsIPFILTER_LOG #ipfilter logging optionsIPFILTER_LOOKUP#ipfilter pools Relevant rc.conf settings: # # ROUTING # router_enable="YES" router_flags="-s" gateway_enable="YES" # # Network firewall / NAT (IPF) # gateway_enable="YES" ipfilter_enable="YES" ipfilter_flags="-T ipf_nattable_max=50 -E" ipnat_enable="YES" ipnat_program="/sbin/ipnat" ipnat_rules="/etc/ipnat.rules" ipmon_enable="YES" ipmon_flags="-Ds -N /dev/ipnat -f /dev/ipl -S /dev/ipstate" Example rule from /etc/ipnat.rules (we have a number of these based on areas of our network)... Each subnet is associated with a different ip on the outgoing side of the NAT. # map bge0 192.168.100.0/23 -> 192.168.4.64/32 proxy port ftp ftp/tcp map bge0 192.168.100.0/23 -> 192.168.4.64/32 icmpidmap icmp 6:65535 map bge0 192.168.100.0/23 -> 192.168.4.64/32 portmap tcp/udp 42000:65535 # Background info: FreeBSD 6.2 pl-8 Using Dell Poweredge 860 1 Gig RAM Dual - Broadcom BCM5750 B1, ASIC rev. 0x4101 Latest Firmware First Interface (bge0): with 11 IP's (1 for host with 10 aliases for NAT) operating at media: Ethernet autoselect (1000baseTX ) Second interface (bge1): with one IP operating at media: Ethernet autoselect (1000baseTX ) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat + mysql replication
> I have 4 FreeBSD servers in one location. A firewall/nat load balances > between two web servers which hits a database server for content (also > behind firewall/nat). The database server replicates from a remote > location (outgoing connection), where the admin interface resides > (different facility). The problem I'm having is that it's a fairly > well-trafficked site. The ipnat entries table fills up quickly (30,000 > I think is the max), and so I have to ipnat -F fairly often (every 5 > minutes or so). The problem with this is that it kills any outgoing > connections (like my mysql replication). Is there a way I can set the > expiration for ipnat table entries, or setup mysql replication rules > in ipnat.conf that will be ignored when ipnat -F is issued? rdr has and age option to define a different time out, the redirection for load ballencing could have a very short time out, causing your ipnat entries to exprire quickly. Just a guess, I never used it, but seen it from the manual. Another, more heavy solution, but maybe more robust, would be to have dual NIC in your mysql server and add a second firewall/nat. The mysql replication going through the second NIC and firewall. Bests, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat + mysql replication
Hi, I have 4 FreeBSD servers in one location. A firewall/nat load balances between two web servers which hits a database server for content (also behind firewall/nat). The database server replicates from a remote location (outgoing connection), where the admin interface resides (different facility). The problem I'm having is that it's a fairly well-trafficked site. The ipnat entries table fills up quickly (30,000 I think is the max), and so I have to ipnat -F fairly often (every 5 minutes or so). The problem with this is that it kills any outgoing connections (like my mysql replication). Is there a way I can set the expiration for ipnat table entries, or setup mysql replication rules in ipnat.conf that will be ignored when ipnat -F is issued? Thanks, JJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPNAT
NO, You only need IPNAT and gateway_enabled="YES" in your rc.conf file if you have a LAN behind your FBSD system -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of RYAN M. vAN GINNEKEN Sent: Friday, June 22, 2007 2:00 PM To: [EMAIL PROTECTED] Subject: IPNAT Just wondering if i need IPNAT and gateway_enabled="YES" in my rc.conf file? It is a stand alone server so does not need to route any packets but does run proftpd. Can i just have ipf running or do i need ipnat too in this situation -- Computer King & CaN Mail - Sales Service Hosting Backup http://www.computerking.ca http://www.canmail.org NEW!!! Custom Service Packages Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online Accounting Packages ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPNAT
Just wondering if i need IPNAT and gateway_enabled="YES" in my rc.conf file? It is a stand alone server so does not need to route any packets but does run proftpd. Can i just have ipf running or do i need ipnat too in this situation -- Computer King & CaN Mail - Sales Service Hosting Backup http://www.computerking.ca http://www.canmail.org NEW!!! Custom Service Packages Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online Accounting Packages ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat. Mapping only specified port
I use IPFilter firewall and I need to remap only packets with specified port in destination. Other traffic should not be remapped. IPNAT(5) says following: Matching of packets has now been extended to allow more complex compares. In place of the address which is to be translated, an IP address and port number comparison can be made using the same expressions available with *ipf*. I tried the following line in ipnat.rules: map rl0 from 192.168.0.0/24 to any port=pop3 -> 0.0.0.0/32 But it didn’t help: isrv# ipnat -CF -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list isrv# ipnat -l List of active MAP/Redirect filters: map rl0 from 192.168.0.0/24 to any -> 0.0.0.0/32 List of active sessions: isrv# As you can see, active filter didn’t contain port I need. How can I specify IP address and port number to be translated in ipnat.rules? Or can I restrict NAT for all traffic to specified network? --- Alexey B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: debugging ipnat
On 1/6/07, Michael P. Soulier <[EMAIL PROTECTED]> wrote: I have a simple port-forwarding rule that I want to work from my gateway to a box on my LAN, but it doesn't seem to be working. [EMAIL PROTECTED] ~]$ sudo ipnat -l Password: List of active MAP/Redirect filters: rdr tun0 0.0.0.0/32 port 6882 -> 192.168.1.3 port 6882 tcp What I was doing wrong is that the rule should have been this. rdr tun0 0.0.0.0/0 port 6882 -> 192.168.1.3 port 6882 tcp Mike -- Michael P. Soulier <[EMAIL PROTECTED]> "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
debugging ipnat
I have a simple port-forwarding rule that I want to work from my gateway to a box on my LAN, but it doesn't seem to be working. [EMAIL PROTECTED] ~]$ sudo ipnat -l Password: List of active MAP/Redirect filters: rdr tun0 0.0.0.0/32 port 6882 -> 192.168.1.3 port 6882 tcp Trying to telnet to port 6882 on the public interface from outside, I just get a connection refused. The port is open in the firewall. tcpdump shows the traffic arriving, and a reset packet in response. tcpdump on the private interface shows nothing, so no attempt to forward the traffic is made. What am I doing wrong? Thanks, Mike -- Michael P. Soulier <[EMAIL PROTECTED]> "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter / ipnat & /usr/sbin/ppp ? (answered)
Answer found, NAT implemented using libalias library: man 3 libalias -- Nathan Vidican [EMAIL PROTECTED] On Wed, 18 Oct 2006 13:59:29 -0400, Nathan Vidican wrote > using: > > ppp -ddial -nat > > How does the "-nat" flag implement nat for PPPoE ? Using ipfw/natd, > ipnat/ipfilter, and is it hard-coded or can it be optionally changed? > > Can I use rules created for/through ipfilter/ipnat, or should I > simply disable NAT translation on the ppp interface and enable it > through ipnat on it's own? > > -- > Nathan Vidican > [EMAIL PROTECTED] > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfilter / ipnat & /usr/sbin/ppp ?
using: ppp -ddial -nat How does the "-nat" flag implement nat for PPPoE ? Using ipfw/natd, ipnat/ipfilter, and is it hard-coded or can it be optionally changed? Can I use rules created for/through ipfilter/ipnat, or should I simply disable NAT translation on the ppp interface and enable it through ipnat on it's own? -- Nathan Vidican [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
re: Re: problem with ipfilter(ipnat)
Nikos, thank you. I appended " mssclamp 1440 " in ipf.rule, it works now! And I have tried not use it but add "set link mtu 1440" in mpd.conf, and failed. Yes, the problem occurs when NATing, and mssclamp 1440 is the key. fbsd, thank you anyway. Arnold Lee 2006 -04-14 - How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problem with ipfilter(ipnat)
On Wednesday 12 April 2006 11:34, Arnold Lee wrote: > I am in a small lan and want to use fb 6.0 as a router to share internet > access. I use mpd 3.18 to dial adsl on demand. I configured ipnat with : > map rl0 10.0.0.0/8 -> 0.0.0.0/32 portmap tcp/udp auto > map rl0 10.0.0.0/8 -> 0.0.0.0/32 > And then I use my client compute(windows 2000 Pro) to access internet, it > seems ok, but soon I realize that there are some websites I can not access! > For example, www.chinaunix.net is unacessable! So are some ftp sites such > as ftp.freebsd.org. It must be a problem of the FB6 box, because if i > access internet directly from the win2000 box, all those sites above is ok > ! what is wrong? By the way, I donot use ipfirewall and other firewall, and > in rc.conf, I wrote "ipfilter_enable = NO, ipnat_enable= YES". Can you help > me? I can try. It might be a PMTU problem. A quick way testing PMTU related problems is setting a small (below 1400) MTU on your nic. If you have another Unix-like OS on your lan(besides your router) you can try a smaller MTU like this "ifconfig nic mtu 1000" and see what's going on. If you don't have another Unix-like OS, go to step 2 (Windows can also change MTU size but the procedure is not that simple, google for it if you want it). 2) I recall that I have seen something relative in ipf. It's here: http://www.netbsd.org/Documentation/network/pppoe/#clamping a quick search in man 5 ipf.conf for "clamp" returned no results, but that's the case for NetBSD man aswell. I guess it is not documented in the manual. Try it. there is also ng_tcpmss(4), which does the job and is what I have used in the past with success there are other sollutions too(an mpd option, is it working? a daemon (tcpmssd)) but I am not familar with... HTH > > > - > 无限容量雅虎相册,原图等大下载,超快速度,赶快抢注! > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: problem with ipfilter(ipnat)
There is nothing wrong with FreeBSD 6.0 It's the way you activated ipf that is wrong. Ipfilter's ipnat function is not an independent function. You have to code this in rc.conf ipfilter_enable = "YES" ipnat_enable = "YES" and make sure there is no default ipf.rules file Then ipf will use its default pass all rule which results in the ipnat function working with a firewall rule of pass all Also your nat rules are incorrect. The special alias 0.0.0.0/32 should be 0/32 The FreeBSD handbook has a good section on ipfilter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Arnold Lee Sent: Wednesday, April 12, 2006 4:34 AM To: freebsd-questions@freebsd.org Subject: problem with ipfilter(ipnat) I am in a small lan and want to use fb 6.0 as a router to share internet access. I use mpd 3.18 to dial adsl on demand. I configured ipnat with : map rl0 10.0.0.0/8 -> 0.0.0.0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 -> 0.0.0.0/32 And then I use my client compute(windows 2000 Pro) to access internet, it seems ok, but soon I realize that there are some websites I can not access! For example, www.chinaunix.net is unacessable! So are some ftp sites such as ftp.freebsd.org. It must be a problem of the FB6 box, because if i access internet directly from the win2000 box, all those sites above is ok ! what is wrong? By the way, I donot use ipfirewall and other firewall, and in rc.conf, I wrote "ipfilter_enable = NO, ipnat_enable= YES". Can you help me? - 无限容量雅虎相册,原图等大下载,超快速度,赶快抢注! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
problem with ipfilter(ipnat)
I am in a small lan and want to use fb 6.0 as a router to share internet access. I use mpd 3.18 to dial adsl on demand. I configured ipnat with : map rl0 10.0.0.0/8 -> 0.0.0.0/32 portmap tcp/udp auto map rl0 10.0.0.0/8 -> 0.0.0.0/32 And then I use my client compute(windows 2000 Pro) to access internet, it seems ok, but soon I realize that there are some websites I can not access! For example, www.chinaunix.net is unacessable! So are some ftp sites such as ftp.freebsd.org. It must be a problem of the FB6 box, because if i access internet directly from the win2000 box, all those sites above is ok ! what is wrong? By the way, I donot use ipfirewall and other firewall, and in rc.conf, I wrote "ipfilter_enable = NO, ipnat_enable= YES". Can you help me? - 无限容量雅虎相册,原图等大下载,超快速度,赶快抢注! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat syntax error?
fbsd_user wrote: You can use this format of the ipnat map command map dc0 10.0.10.1/29 -> 20.20.20.5-20.20.20.7 .. snip .. The above version of the command also results in a syntax error at the "-". Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipnat syntax error?
You can use this format of the ipnat map command map dc0 10.0.10.1/29 -> 20.20.20.5-20.20.20.7 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard Sent: Monday, April 03, 2006 7:45 AM To: Juergen Heberling Cc: freebsd-questions@freebsd.org Subject: Re: ipnat syntax error? Juergen Heberling wrote: > Due to historical reasons I can not just take a /29 or /30 block out of > the middle of the cidr I will ultimately use -- this FreeBSD server will > implement a firewall on an existing connection replacing an old Cisco > router that only NAT'd. So I will see if things can work with "just" > one "map" with portmaps. > > Please note that the "-" for the range syntax is documented in several > places, not just the FreeBSD handbook and should probably be fixed. check out packet filter as an alternative, you can map any pool of addresses as you like: http://openbsd.org/faq/pf/nat.html You can use a list or a table to specify what src addresses are mapped to what dst addresses. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat syntax error?
Juergen Heberling wrote: Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with "just" one "map" with portmaps. Please note that the "-" for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. check out packet filter as an alternative, you can map any pool of addresses as you like: http://openbsd.org/faq/pf/nat.html You can use a list or a table to specify what src addresses are mapped to what dst addresses. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat syntax error?
Erik Nørgaard wrote: .. snip .. Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap? Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients. If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain. For the mapping, and bimapping consider this: The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface. If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections. That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip. There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter. Cheers, Erik Erik, Thank you again for your advice. Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with "just" one "map" with portmaps. Please note that the "-" for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. Thanks again. Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat syntax error?
Juergen Heberling wrote: /etc/ipnat.rules contains: map em0 192.168.1.0/24 -> 204.134.75.1-10 .. snip .. I tried your suggestion of using the cidr notation format and that work; thank you! However I am concerned about overlapping mappings in the cidr range with host-to-host maps - my cidr range is a /28, for example, and I want to map (spoof) some IP address in the middle to, say the web or mail servers. In order to avoid the overlap I was counting on the "range" specification on the map command. Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap? Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients. If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain. For the mapping, and bimapping consider this: The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface. If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections. That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip. There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat syntax error?
Erik Nørgaard wrote: Juergen Heberling wrote: Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at "-", line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 -> 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. It seems to be a documentation bug, the ipf-howto.txt distributed with ipfilter makes no mention of that notation, instead you should use cidr notation, for example 204.134.75.0/29 Erik Erik, Thank you for the quick response. I tried your suggestion of using the cidr notation format and that work; thank you! However I am concerned about overlapping mappings in the cidr range with host-to-host maps - my cidr range is a /28, for example, and I want to map (spoof) some IP address in the middle to, say the web or mail servers. In order to avoid the overlap I was counting on the "range" specification on the map command. TIA for any suggestions. Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat syntax error?
Juergen Heberling wrote: Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at "-", line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 -> 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. It seems to be a documentation bug, the ipf-howto.txt distributed with ipfilter makes no mention of that notation, instead you should use cidr notation, for example 204.134.75.0/29 Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipnat syntax error?
Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at "-", line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 -> 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. TIA Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipf and ipnat stopped working, no routing between nics.
(My apologies if you're recieving this email for the third time. It doesnt seem as the previous ones reached the list) Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help - "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help - Launch ettercap again and exit "cleanly" after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat "forgot" how to route between the two interfaces. Could anyone please give some pointers? Included stuff: _ipf.rules [EMAIL PROTECTED] etc $ cat ipf.rules # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all flags S keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in quick on sis0 all pass out quick on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system #pass in quick on rl0 proto tcp from any to any port 3 >< 5 flags S keep state #Passive FTP #pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state #Active FTP #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FTP pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oidentd pass in quick on rl0 proto udp from any to any port = 123 keep state #ntpd pass in quick on rl0 proto tcp from any to any port = 6697 flags S keep state #ircd, SSL pass in quick on rl0 proto tcp from any to any port = 6667 flags S keep state #ircd, non-SSL #pass in quick on rl0 proto tcp from any to any port = 7029 flags S keep state #irc link pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state # Steam Dedicated Server #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 _ipf.rules END _ipnat.rules #rdr rl0 0/0 port 9541 -> 192.168.0.2 port 9541 tcp #rdr rl0 0/0 port 9542 -> 192.168.0.2 port 9542 udp map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp #map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 -> 0/32 _ipnat.rules END _ifconfig -a [EMAIL PROTECTED] etc $ ifconfig -a fwe0: flags=108802 mtu 1500 options=8 ether 02:00:0a:04:69:d1 ch 1 dma -1 sis0: flags=8843 mtu 1500 options=8 inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 options=8 inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.49.144.133 netmask 0xff80 broadcast 87.49.144.255 ether 00:b0:02:00:27:f3 media: Ethernet autoselect (100baseTX ) status
Re: ipf and ipnat stopped working, no routing between nics.
Hi, I rebooted my machine last night, and everything started working again. But no, I didnt check that. And after I was looking at some sysctls late last night, I did speculate about whether those you mention were right or not. Problem resolved, and thanks for the help :) ps. Sorry I accidentally spammed the list. It didnt seem as if my emails went through at the time. On 3/31/06, Erik Norgaard <[EMAIL PROTECTED]> wrote: > Daniel A. wrote: > > Hi, > > I run a FreeBSD 6.0 at home in my closet. > > Yesterday, while I was linking IRCd services with a friend of mine, my > > router > > completely stopped routing any packets between the internal nic (sis0) and > > the external nic (rl0). > > The only thing that I can think of, whoich could have caused this, is that I > > ran ettercap on the server to diagnose why our servers wouldnt link. I did > > NOT > > run any ARP poisoning or DNS spoofing attacks on myself. > > But I didnt notice if the routing stopped at that point, or later, because I > > could always connect to my server, and the server could always connect to > > the > > internet. The situation is still the same. > > > > I have tried to do > > - "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help > > - "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help > > - Launch ettercap again and exit "cleanly" after telling it to stop > > sniffing. > > A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. > > So my conclusion is that ipnat "forgot" how to route between the two > > interfaces. > > > > Could anyone please give some pointers? > > did you check > > # sysctl -a |grep forward > > you should have > > net.inet.ip.forwarding: 1 > net.inet.ip.fastforwarding: 0 > net.inet6.ip6.forwarding: 0 > > Erik > -- > Ph: +34.666334818 web: www.locolomo.org > S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt > Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 > Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: ipf+ipnat - Routing has completely stopped
Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help - "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help - Launch ettercap again and exit "cleanly" after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat "forgot" how to route between the two interfaces. Could anyone please give some pointers? Included stuff: _ipf.rules [EMAIL PROTECTED] etc $ cat ipf.rules # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all flags S keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in quick on sis0 all pass out quick on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system #pass in quick on rl0 proto tcp from any to any port 3 >< 5 flags S keep state #Passive FTP #pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state #Active FTP #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FTP pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oidentd pass in quick on rl0 proto udp from any to any port = 123 keep state #ntpd pass in quick on rl0 proto tcp from any to any port = 6697 flags S keep state #ircd, SSL pass in quick on rl0 proto tcp from any to any port = 6667 flags S keep state #ircd, non-SSL #pass in quick on rl0 proto tcp from any to any port = 7029 flags S keep state #irc link pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state # Steam Dedicated Server #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 _ipf.rules END _ipnat.rules #rdr rl0 0/0 port 9541 -> 192.168.0.2 port 9541 tcp #rdr rl0 0/0 port 9542 -> 192.168.0.2 port 9542 udp map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp #map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 -> 0/32 _ipnat.rules END _ifconfig -a [EMAIL PROTECTED] etc $ ifconfig -a fwe0: flags=108802 mtu 1500 options=8 ether 02:00:0a:04:69:d1 ch 1 dma -1 sis0: flags=8843 mtu 1500 options=8 inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 options=8 inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.49.144.133 netmask 0xff80 broadcast 87.49.144.255 ether 00:b0:02:00:27:f3 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128
ipf+ipnat - Routing has completely stopped
Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help - "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help - Launch ettercap again and exit "cleanly" after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat "forgot" how to route between the two interfaces. Could anyone please give some pointers? Included stuff: _ipf.rules [EMAIL PROTECTED] etc $ cat ipf.rules # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all flags S keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in quick on sis0 all pass out quick on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system #pass in quick on rl0 proto tcp from any to any port 3 >< 5 flags S keepstate #Passive FTP #pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state #Ac tive FTP #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FT P pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oi dentd pass in quick on rl0 proto udp from any to any port = 123 keep state #ntpd pass in quick on rl0 proto tcp from any to any port = 6697 flags S keep state #ircd, SSL pass in quick on rl0 proto tcp from any to any port = 6667 flags S keep state #ircd, non-SSL #pass in quick on rl0 proto tcp from any to any port = 7029 flags S keep state # irc link pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state # Steam Dedicated Server #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 >< 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 _ipf.rules END _ipnat.rules #rdr rl0 0/0 port 9541 -> 192.168.0.2 port 9541 tcp #rdr rl0 0/0 port 9542 -> 192.168.0.2 port 9542 udp map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp #map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 -> 0/32 _ipnat.rules END _ifconfig -a [EMAIL PROTECTED] etc $ ifconfig -a fwe0: flags=108802 mtu 1500 options=8 ether 02:00:0a:04:69:d1 ch 1 dma -1 sis0: flags=8843 mtu 1500 options=8 inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 options=8 inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.49.144.133 netmask 0xff80 broadcast 87.49.144.255 ether 00:b0:02:00:27:f3 media: Ethernet autoselect (100
Re: ipf and ipnat stopped working, no routing between nics.
Daniel A. wrote: Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help - "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help - Launch ettercap again and exit "cleanly" after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat "forgot" how to route between the two interfaces. Could anyone please give some pointers? did you check # sysctl -a |grep forward you should have net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipf and ipnat stopped working, no routing between nics.
Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help - "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help - Launch ettercap again and exit "cleanly" after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat "forgot" how to route between the two interfaces. Could anyone please give some pointers? ifconfig Description: Binary data ipf.rules Description: Binary data ipnat.rules Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Interaction between mpd and ipfilter/ipnat
I have a FreeBSD firewall which does packet filtering and NAT. The internal address range is 172.16.64.0/24. The only filtering is incoming on the external NIC, fxp0. The machine also runs mpd for remote access. By pure chance I was tailing ipf.log when I connected an XP laptop to the mpd service, and immediately I saw these: Mar 16 16:57:41 inchgower ipmon[61]: 16:57:40.923619 fxp0 @0:2 b 172.16.64.168,137 -> 172.16.64.200,137 PR udp len 20 96 IN Mar 16 16:57:42 inchgower ipmon[61]: 16:57:42.425811 fxp0 @0:2 b 172.16.64.168,137 -> 172.16.64.200,137 PR udp len 20 96 IN 172.16.64.168 is the address given out by mpd to the laptop. 172.16.64.200 is the Active Directory Domain Controller. I'm confused as to why ipf is seeing these packets coming in on fxp0. Surely what comes in is the GRE packet to the external NIC's address, this is then decapsulated and the embedded packet routed on. Why does ipf even see it, let alone block it? I would expect the source interface to be ng0, not fxp0. From the laptop I can ping and connect to internal machines, so most packets are not being blocked in this way. tcpdump also sees the packets coming in on fxp0, but I'm not convinced they are. I guess I can only really tell if I get the switch to copy packets to another port and monitor from there. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IpNat and 3 NIC
answer is that is the syntax of the ipnat rules. read the handbook its all there. vr0 is the interface faceing the public internet just like syntax requires -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of cedric Gross Sent: Thursday, January 12, 2006 10:54 AM To: [EMAIL PROTECTED]; freebsd-questions@freebsd.org Subject: RE: IpNat and 3 NIC Thanks you, it's working ! But why using vr0 instead of vr1 for map instruction ? Network 192.168.0.32/27 is attach to vr1 not vr0 ... Is it an IPNat mystery or have you an answer ? > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de fbsd_user > Envoyé : jeudi 12 janvier 2006 16:43 > À : cedric Gross; freebsd-questions@freebsd.org > Objet : RE: IpNat and 3 NIC > > You have ipnat statements wrong. should be liked this > > map vr0 10.0.0.0/8 -> 0.32 proxy port ftp ftp/tcp > map vr0 10.0.0.0/8 -> 0.32 portmap tcp/udp 2:6 > map vr0 10.0.0.0/8 -> 0.32 > map vr0 192.168.0.0/30 -> 0.32 portmap tcp/udp auto > map vr0 192.168.0.32/27 -> 0.32 portmap tcp/udp auto > map vr0 192.168.0.32/27 -> 0.32 > map vr0 192.168.0.96/27 -> 0.32 portmap tcp/udp auto > map vr0 192.168.0.96/27 -> 0.32 > rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp > > Note map vr1 has been changed to vr0 > > If your public IP 84.96.23.106 is not dedicated to you by your ISP, > then you should not be hard coding it in your IPnat rules. Read the > Freebsd ipfilter documentation in the handbook for details. > > 0.32 = The IP address/netmask assigned by your ISP. >The special keyword 0.32 tells ipnat to get the current > public >IP address of the interface specified on this statement and >substitute it for the 0.32 keyword. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of cedric > Gross > Sent: Thursday, January 12, 2006 9:58 AM > To: freebsd-questions@freebsd.org > Subject: IpNat and 3 NIC > > > Hello, > > I have my FreeBSD 5.4 box with 3 NIC : > > Xl0 LAN with network 10.0.0.0/8 and 192.168.0.0/30 > VR0 Wan 84.96.23.106/32 > VR1 LAN with network 192.168.0.32/27 and 192.168.0.96/27 > > I use IPNAT and Ip filter. > > I'm doing NAT from Xl0 to Vr0, it's working fine > > I'm trying to do the same thing with vr1 to Vr0 but it's seems that > traffic > coming from vr1 are not translated. > Is there a interface limitation with IPNAT ? > > Is there a way to do translation from both NIC ? > > Here is my ipnat.conf : > map vr0 10.0.0.0/8 -> 84.96.23.106/32 proxy port ftp ftp/tcp > map vr0 10.0.0.0/8 -> 84.96.23.106/32 portmap tcp/udp 2:6 > map vr0 10.0.0.0/8 -> 84.96.23.106/32 > map vr0 192.168.0.0/30 -> 84.96.23.106/32 portmap tcp/udp auto > map vr1 192.168.0.32/27 -> 84.96.23.106/32 portmap tcp/udp auto > map vr1 192.168.0.32/27 -> 84.96.23.106/32 > map vr1 192.168.0.96/27 -> 84.96.23.106/32 portmap tcp/udp auto > map vr1 192.168.0.96/27 -> 84.96.23.106/32 > rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp > > Thanks for help. > Cedric > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IpNat and 3 NIC
Thanks you, it's working ! But why using vr0 instead of vr1 for map instruction ? Network 192.168.0.32/27 is attach to vr1 not vr0 ... Is it an IPNat mystery or have you an answer ? > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de fbsd_user > Envoyé : jeudi 12 janvier 2006 16:43 > À : cedric Gross; freebsd-questions@freebsd.org > Objet : RE: IpNat and 3 NIC > > You have ipnat statements wrong. should be liked this > > map vr0 10.0.0.0/8 -> 0.32 proxy port ftp ftp/tcp > map vr0 10.0.0.0/8 -> 0.32 portmap tcp/udp 2:6 > map vr0 10.0.0.0/8 -> 0.32 > map vr0 192.168.0.0/30 -> 0.32 portmap tcp/udp auto > map vr0 192.168.0.32/27 -> 0.32 portmap tcp/udp auto > map vr0 192.168.0.32/27 -> 0.32 > map vr0 192.168.0.96/27 -> 0.32 portmap tcp/udp auto > map vr0 192.168.0.96/27 -> 0.32 > rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp > > Note map vr1 has been changed to vr0 > > If your public IP 84.96.23.106 is not dedicated to you by your ISP, > then you should not be hard coding it in your IPnat rules. Read the > Freebsd ipfilter documentation in the handbook for details. > > 0.32 = The IP address/netmask assigned by your ISP. >The special keyword 0.32 tells ipnat to get the current > public >IP address of the interface specified on this statement and >substitute it for the 0.32 keyword. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of cedric > Gross > Sent: Thursday, January 12, 2006 9:58 AM > To: freebsd-questions@freebsd.org > Subject: IpNat and 3 NIC > > > Hello, > > I have my FreeBSD 5.4 box with 3 NIC : > > Xl0 LAN with network 10.0.0.0/8 and 192.168.0.0/30 > VR0 Wan 84.96.23.106/32 > VR1 LAN with network 192.168.0.32/27 and 192.168.0.96/27 > > I use IPNAT and Ip filter. > > I'm doing NAT from Xl0 to Vr0, it's working fine > > I'm trying to do the same thing with vr1 to Vr0 but it's seems that > traffic > coming from vr1 are not translated. > Is there a interface limitation with IPNAT ? > > Is there a way to do translation from both NIC ? > > Here is my ipnat.conf : > map vr0 10.0.0.0/8 -> 84.96.23.106/32 proxy port ftp ftp/tcp > map vr0 10.0.0.0/8 -> 84.96.23.106/32 portmap tcp/udp 2:6 > map vr0 10.0.0.0/8 -> 84.96.23.106/32 > map vr0 192.168.0.0/30 -> 84.96.23.106/32 portmap tcp/udp auto > map vr1 192.168.0.32/27 -> 84.96.23.106/32 portmap tcp/udp auto > map vr1 192.168.0.32/27 -> 84.96.23.106/32 > map vr1 192.168.0.96/27 -> 84.96.23.106/32 portmap tcp/udp auto > map vr1 192.168.0.96/27 -> 84.96.23.106/32 > rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp > rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp > > Thanks for help. > Cedric > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IpNat and 3 NIC
You have ipnat statements wrong. should be liked this map vr0 10.0.0.0/8 -> 0.32 proxy port ftp ftp/tcp map vr0 10.0.0.0/8 -> 0.32 portmap tcp/udp 2:6 map vr0 10.0.0.0/8 -> 0.32 map vr0 192.168.0.0/30 -> 0.32 portmap tcp/udp auto map vr0 192.168.0.32/27 -> 0.32 portmap tcp/udp auto map vr0 192.168.0.32/27 -> 0.32 map vr0 192.168.0.96/27 -> 0.32 portmap tcp/udp auto map vr0 192.168.0.96/27 -> 0.32 rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp Note map vr1 has been changed to vr0 If your public IP 84.96.23.106 is not dedicated to you by your ISP, then you should not be hard coding it in your IPnat rules. Read the Freebsd ipfilter documentation in the handbook for details. 0.32 = The IP address/netmask assigned by your ISP. The special keyword 0.32 tells ipnat to get the current public IP address of the interface specified on this statement and substitute it for the 0.32 keyword. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of cedric Gross Sent: Thursday, January 12, 2006 9:58 AM To: freebsd-questions@freebsd.org Subject: IpNat and 3 NIC Hello, I have my FreeBSD 5.4 box with 3 NIC : Xl0 LAN with network 10.0.0.0/8 and 192.168.0.0/30 VR0 Wan 84.96.23.106/32 VR1 LAN with network 192.168.0.32/27 and 192.168.0.96/27 I use IPNAT and Ip filter. I'm doing NAT from Xl0 to Vr0, it's working fine I'm trying to do the same thing with vr1 to Vr0 but it's seems that traffic coming from vr1 are not translated. Is there a interface limitation with IPNAT ? Is there a way to do translation from both NIC ? Here is my ipnat.conf : map vr0 10.0.0.0/8 -> 84.96.23.106/32 proxy port ftp ftp/tcp map vr0 10.0.0.0/8 -> 84.96.23.106/32 portmap tcp/udp 2:6 map vr0 10.0.0.0/8 -> 84.96.23.106/32 map vr0 192.168.0.0/30 -> 84.96.23.106/32 portmap tcp/udp auto map vr1 192.168.0.32/27 -> 84.96.23.106/32 portmap tcp/udp auto map vr1 192.168.0.32/27 -> 84.96.23.106/32 map vr1 192.168.0.96/27 -> 84.96.23.106/32 portmap tcp/udp auto map vr1 192.168.0.96/27 -> 84.96.23.106/32 rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp Thanks for help. Cedric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IpNat and 3 NIC
Hello, I have my FreeBSD 5.4 box with 3 NIC : Xl0 LAN with network 10.0.0.0/8 and 192.168.0.0/30 VR0 Wan 84.96.23.106/32 VR1 LAN with network 192.168.0.32/27 and 192.168.0.96/27 I use IPNAT and Ip filter. I'm doing NAT from Xl0 to Vr0, it's working fine I'm trying to do the same thing with vr1 to Vr0 but it's seems that traffic coming from vr1 are not translated. Is there a interface limitation with IPNAT ? Is there a way to do translation from both NIC ? Here is my ipnat.conf : map vr0 10.0.0.0/8 -> 84.96.23.106/32 proxy port ftp ftp/tcp map vr0 10.0.0.0/8 -> 84.96.23.106/32 portmap tcp/udp 2:6 map vr0 10.0.0.0/8 -> 84.96.23.106/32 map vr0 192.168.0.0/30 -> 84.96.23.106/32 portmap tcp/udp auto map vr1 192.168.0.32/27 -> 84.96.23.106/32 portmap tcp/udp auto map vr1 192.168.0.32/27 -> 84.96.23.106/32 map vr1 192.168.0.96/27 -> 84.96.23.106/32 portmap tcp/udp auto map vr1 192.168.0.96/27 -> 84.96.23.106/32 rdr xl0 0.0.0.0/0 port 80 -> 10.0.0.254 port 3128 tcp rdr vr1 192.168.0.32/27 port 80 -> 10.0.0.254 port 3128 tcp rdr vr1 192.168.0.96/27 port 80 -> 10.0.0.254 port 3128 tcp Thanks for help. Cedric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat -CF -f /etc/ipnat.rules
On 1/3/06, fbsd_user <[EMAIL PROTECTED]> wrote: > > On 1/2/06, fbsd_user <[EMAIL PROTECTED]> wrote: > > I see "tun" in your ipnat rule. > > That means you are using ppp for phone dialup connection. > > Every time you lose your phone connection you get different IP > from > > your ISP. > > Use NAT function of PPP and not ipnat and your problem will go > away. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of caleb > > Sent: Friday, December 30, 2005 9:16 PM > > To: freebsd-questions@freebsd.org > > Subject: ipnat -CF -f /etc/ipnat.rules > > > > > > Hi everyone, > > I have just put together a router/firewall using 5.4 > > RELEASE > > and IPFILTER. Everything is working fine except I have to manually > > flush > > the NAT table every time the router boots. below is my rc.conf and > > ipnat.rules, I have used rc.conf to start everything at boot; > > > > /* rc.conf */ > > > > gateway_enable="YES" > > sshd_enable="YES" > > ifconfig_rl1="inet 10.0.0.1 netmask 255.255.255.0" > > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > > hostname="tweak" > > ipfilter_enable="YES" > > ipfilter_rules="/etc/ipf.rules" > > ipmon_enable="YES" > > ipmon_flags="-Ds" > > ipnat_enable="YES" > > ipnat_rules="/etc/ipnat.rules" > > ppp_enable="YES" > > ppp_mode="ddial" > > ppp_nat="NO" > > ppp_profile="netspace" > > ppp_user="root" > > > > /* ipnat.rules */ > > > > map tun0 192.168.0.0/24 -> 0/32 > > > > > > Is there something I am missing? I do not think it is ipf, as I > have > > configured it to allow everything in and out. Could you please CC > me > > if > > you decide to help. > > > > Thankyou, > > > > caleb > > -- > > > > > >Well i use PPPoE protocol, i have never try the same ppp program > to > handle the NAT thing, them i disable ipnat or what...? I need to > understand this very clear. > >Thanks for your tip. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > You are not configured correctly. This statement > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > is forceing that ip addr to be used and its wrong. > you have to get ip assigned by your isp. > Follow this example. Which means you can use ipnat or ppp nat. > > start of ppp.conf ### > default: > > set log Phase tun #use to avoid excessive log sizes > set timeout 0 # no idle time out, will not > disconnect > > dialisp: > set device PPPoE:XXX # replace xxx with your NIC device > name > set authname YOURLOGINNAME# Replace with your ISP account > username > set authkey YOURPASSWORD # Replace with your ISP account > password > add default HISADDR # Add a (sticky) default route > (Mandatory) > enable dns # Gets the ISP's DNS IP address & places > them > # in resolv.conf for reference by FBSD box. > > ### End of ppp.conf > # > > > Replace the XXX in the [set device PPPoE:XXX] statement with the > NIC's FBSD interface name. Sometimes it will be necessary to use a > service tag to establish your connection depending on how your ISP > and/or the phone company has its DSL network configured. Service > tags are used to distinguish between different PPPoE servers > attached to a given network. You should have been given any required > service tag information in the documentation provided by your ISP. > If you cannot locate it there, ask your ISP's tech support > personnel. This is the format of the command with the service tag > added: > > set device PPPoE::service_tag(in your case = rl0) > > The is the FBSD interface name used by PPPoE. The interface > must be UP (IE: enabled). It is only used as a transport, and does > not need to be assigned an IP address. This can be done > automatically at boot time by updating the /etc/rc.conf file. The > format of the statement to add is ifconfig_=up where is the > NIC's FBSD interface name used by PPPoE that you specified
RE: ipnat -CF -f /etc/ipnat.rules
On 1/2/06, fbsd_user <[EMAIL PROTECTED]> wrote: > I see "tun" in your ipnat rule. > That means you are using ppp for phone dialup connection. > Every time you lose your phone connection you get different IP from > your ISP. > Use NAT function of PPP and not ipnat and your problem will go away. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of caleb > Sent: Friday, December 30, 2005 9:16 PM > To: freebsd-questions@freebsd.org > Subject: ipnat -CF -f /etc/ipnat.rules > > > Hi everyone, > I have just put together a router/firewall using 5.4 > RELEASE > and IPFILTER. Everything is working fine except I have to manually > flush > the NAT table every time the router boots. below is my rc.conf and > ipnat.rules, I have used rc.conf to start everything at boot; > > /* rc.conf */ > > gateway_enable="YES" > sshd_enable="YES" > ifconfig_rl1="inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > hostname="tweak" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipmon_enable="YES" > ipmon_flags="-Ds" > ipnat_enable="YES" > ipnat_rules="/etc/ipnat.rules" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="netspace" > ppp_user="root" > > /* ipnat.rules */ > > map tun0 192.168.0.0/24 -> 0/32 > > > Is there something I am missing? I do not think it is ipf, as I have > configured it to allow everything in and out. Could you please CC me > if > you decide to help. > > Thankyou, > > caleb > -- > > Well i use PPPoE protocol, i have never try the same ppp program to handle the NAT thing, them i disable ipnat or what...? I need to understand this very clear. Thanks for your tip. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" You are not configured correctly. This statement ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" is forceing that ip addr to be used and its wrong. you have to get ip assigned by your isp. Follow this example. Which means you can use ipnat or ppp nat. start of ppp.conf ### default: set log Phase tun #use to avoid excessive log sizes set timeout 0 # no idle time out, will not disconnect dialisp: set device PPPoE:XXX # replace xxx with your NIC device name set authname YOURLOGINNAME# Replace with your ISP account username set authkey YOURPASSWORD # Replace with your ISP account password add default HISADDR # Add a (sticky) default route (Mandatory) enable dns # Gets the ISP's DNS IP address & places them # in resolv.conf for reference by FBSD box. ### End of ppp.conf # Replace the XXX in the [set device PPPoE:XXX] statement with the NIC's FBSD interface name. Sometimes it will be necessary to use a service tag to establish your connection depending on how your ISP and/or the phone company has its DSL network configured. Service tags are used to distinguish between different PPPoE servers attached to a given network. You should have been given any required service tag information in the documentation provided by your ISP. If you cannot locate it there, ask your ISP's tech support personnel. This is the format of the command with the service tag added: set device PPPoE::service_tag(in your case = rl0) The is the FBSD interface name used by PPPoE. The interface must be UP (IE: enabled). It is only used as a transport, and does not need to be assigned an IP address. This can be done automatically at boot time by updating the /etc/rc.conf file. The format of the statement to add is ifconfig_=up where is the NIC's FBSD interface name used by PPPoE that you specified in the /etc/ppp/ppp.conf file. ee /etc/rc.conf # add following statements ifconfig_=up# (in your case = rl0) ifconfig_tun0="DHCP"# get your ISP assigned IP address To setup user ppp to dial your ISP automatically at FBSD boot time, you have to add the following statements to the rc.conf file. The ddial option means to redial every time the connection to the ISP gets dropped. ee /etc/rc.conf # Activate user ppp auto start at boot time ppp_enable="YES" # Start User PPP task ppp_mode="ddial" # ddial, auto, background ppp_profile="dialisp"# section in ppp.conf to exec #ppp_nat="YES" # only if you have LAN behind this PC. # deactivate ipfilter Nat function (comment statements out) #ipnat_enable="YES" #ipnat_rules="/etc/ipnat.rules" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat -CF -f /etc/ipnat.rules
On 1/2/06, fbsd_user <[EMAIL PROTECTED]> wrote: > I see "tun" in your ipnat rule. > That means you are using ppp for phone dialup connection. > Every time you lose your phone connection you get different IP from > your ISP. > Use NAT function of PPP and not ipnat and your problem will go away. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of caleb > Sent: Friday, December 30, 2005 9:16 PM > To: freebsd-questions@freebsd.org > Subject: ipnat -CF -f /etc/ipnat.rules > > > Hi everyone, > I have just put together a router/firewall using 5.4 > RELEASE > and IPFILTER. Everything is working fine except I have to manually > flush > the NAT table every time the router boots. below is my rc.conf and > ipnat.rules, I have used rc.conf to start everything at boot; > > /* rc.conf */ > > gateway_enable="YES" > sshd_enable="YES" > ifconfig_rl1="inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > hostname="tweak" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipmon_enable="YES" > ipmon_flags="-Ds" > ipnat_enable="YES" > ipnat_rules="/etc/ipnat.rules" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="netspace" > ppp_user="root" > > /* ipnat.rules */ > > map tun0 192.168.0.0/24 -> 0/32 > > > Is there something I am missing? I do not think it is ipf, as I have > configured it to allow everything in and out. Could you please CC me > if > you decide to help. > > Thankyou, > > caleb > -- > There is no spoon > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" Well i use PPPoE protocol, i have never try the same ppp program to handle the NAT thing, them i disable ipnat or what...? I need to understand this very clear. Thanks for your tip. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipnat -CF -f /etc/ipnat.rules
I see "tun" in your ipnat rule. That means you are using ppp for phone dialup connection. Every time you lose your phone connection you get different IP from your ISP. Use NAT function of PPP and not ipnat and your problem will go away. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of caleb Sent: Friday, December 30, 2005 9:16 PM To: freebsd-questions@freebsd.org Subject: ipnat -CF -f /etc/ipnat.rules Hi everyone, I have just put together a router/firewall using 5.4 RELEASE and IPFILTER. Everything is working fine except I have to manually flush the NAT table every time the router boots. below is my rc.conf and ipnat.rules, I have used rc.conf to start everything at boot; /* rc.conf */ gateway_enable="YES" sshd_enable="YES" ifconfig_rl1="inet 10.0.0.1 netmask 255.255.255.0" ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" hostname="tweak" ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Ds" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" ppp_enable="YES" ppp_mode="ddial" ppp_nat="NO" ppp_profile="netspace" ppp_user="root" /* ipnat.rules */ map tun0 192.168.0.0/24 -> 0/32 Is there something I am missing? I do not think it is ipf, as I have configured it to allow everything in and out. Could you please CC me if you decide to help. Thankyou, caleb -- There is no spoon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat -CF -f /etc/ipnat.rules
On 1/1/06, Parv <[EMAIL PROTECTED]> wrote: > in message <[EMAIL PROTECTED]>, > wrote perikillo thusly... > > > > root#chmod +x /etc/rc.d/ipnat.rules > > Why did you need to add execute bit for the rules? > > > - Parv > > -- > > Hi Parv. No, the file name is ipnat.bug, i make one mistake here. The rules continue on /etc. Happy New Year!!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat -CF -f /etc/ipnat.rules
in message <[EMAIL PROTECTED]>, wrote perikillo thusly... > > root#chmod +x /etc/rc.d/ipnat.rules Why did you need to add execute bit for the rules? - Parv -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat -CF -f /etc/ipnat.rules
On 12/30/05, Ruben Bloemgarten <[EMAIL PROTECTED]> wrote: > Hi Caleb, > > Add ipfs_enable="YES". > > Regards, > Ruben > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of caleb > Sent: December 31, 2005 3:16 AM > To: freebsd-questions@freebsd.org > Subject: ipnat -CF -f /etc/ipnat.rules > > Hi everyone, > I have just put together a router/firewall using 5.4 RELEASE > and IPFILTER. Everything is working fine except I have to manually flush > the NAT table every time the router boots. below is my rc.conf and > ipnat.rules, I have used rc.conf to start everything at boot; > > /* rc.conf */ > > gateway_enable="YES" > sshd_enable="YES" > ifconfig_rl1="inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" > hostname="tweak" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipmon_enable="YES" > ipmon_flags="-Ds" > ipnat_enable="YES" > ipnat_rules="/etc/ipnat.rules" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="netspace" > ppp_user="root" > > /* ipnat.rules */ > > map tun0 192.168.0.0/24 -> 0/32 > > > Is there something I am missing? I do not think it is ipf, as I have > configured it to allow everything in and out. Could you please CC me if > you decide to help. > > Thankyou, > > caleb > -- > There is no spoon > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > Hi Ruben, months ago i didnt found how to fix that problem, if i remenber it was a little bug on ipfilter, i try a lot of changes on the system, right i was setting up ipfilter on another box, fresh installation: *freebsd 5.4-p8 *ipf v3.4.35 I try your tip, but didnt work, i was thinking that maybe secure_level = 2 was the problem but no, i download to 1 and still didnt work. Them the only solution i found before was to create one simple script to re-charge ipnat: ee /etc/rc.d/ipnat.bug #!/bin/sh echo "Fix ipnat bug" ipnat -FC -f /etc/ipnat.rules root#chmod +x /etc/rc.d/ipnat.rules Now i dont need to manually re-charge ipnat every time i restart the system, i hope that this little problem will be fix on freebsd 6.0. Hi cale, this i are my ipnat rules, hope they help you: map tun0 0/0 -> 0/32 proxy port ftp ftp/tcp map tun0 0/0 -> 0/32 portmap tcp/udp 2:4 map tun0 0/0 -> 0/32 Good day to all and Happy New Year BSD people!!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
