different ipfw/natd prob
i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. stephen To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled is this a clue that i need to rebuild kernel? stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES tcp_extensions=YES named_enable=YES sendmail_enable=NO portmap_enable=YES router_enable=yes router=/sbin/routed router_flags=-q defaultrouter=68.abc.de.1 hostname=www.kingrea.com network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP ifconfig_fxp0=inet 192.168.2.1 netmask 255.255.255.0 firewall_enable=YES firewall_type=OPEN gateway_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
Here's what I did that worked for me on FreeBSD 4.5-RELEASE Maybe this will help you some. Kernel recompile options I added: options IPFIREWALL # I added for firewall options IPFIREWALL_DEFAULT_TO_ACCEPT# I added for firewall options IPFIREWALL_VERBOSE # I added for firewall options IPFIREWALL_VERBOSE_LIMIT=10 # I added for firewall options IPFIREWALL_DEFAULT_TO_ACCEPT# I added for firewall options IPFIREWALL_FORWARD # I added for firewall options IPDIVERT# I added for natd ipfw rules: /sbin/ipfw add 100 pass all from 127.0.0.1 to 127.0.0.1 /sbin/ipfw add 200 divert natd all from any to any via rl0 ifconfig: xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::201:2ff:fee8:2298%xl0 prefixlen 64 scopeid 0x1 ether 00:01:02:e8:22:98 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 24.xx.xxx.61 netmask 0xfe00 broadcast 24..xxx.255 inet6 fe80::250:bfff:fe51:5503%rl0 prefixlen 64 scopeid 0x2 ether 00:50:bf:51:55:03 media: Ethernet autoselect (100baseTX full-duplex) status: active rc.conf: gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.cf hostname=mygatewayhost ifconfig_rl0=inet 24.121.16.61 netmask 255.255.254.0 ifconfig_xl0=inet 192.168.0.1 netmask 255.255.255.0 WillyB [EMAIL PROTECTED] wrote: following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES tcp_extensions=YES named_enable=YES sendmail_enable=NO portmap_enable=YES router_enable=yes router=/sbin/routed router_flags=-q defaultrouter=68.abc.de.1 hostname=www.kingrea.com network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP ifconfig_fxp0=inet 192.168.2.1 netmask 255.255.255.0 firewall_enable=YES firewall_type=OPEN gateway_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: different ipfw/natd prob
Do you really have named Domain server configured? If not remove named_enable=YES If you really do not want sendmail it should be sendmail_enable=NONE From your description I see no reason for any of the router_ options You don't need this either network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 Your rule set is missing the divert rule to send all packets to ipfw's built in nat function inferface module. allow ip from any to any via lo0 divert natd all from any to any via dc0 add this rule allow all ip from any to any deny ip from any to any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen D. Kingrea Sent: Friday, January 17, 2003 8:53 AM To: Bill Moran Cc: [EMAIL PROTECTED] Subject: Re: different ipfw/natd prob following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES tcp_extensions=YES named_enable=YES sendmail_enable=NO portmap_enable=YES router_enable=yes router=/sbin/routed router_flags=-q defaultrouter=68.abc.de.1 hostname=www.kingrea.com network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP ifconfig_fxp0=inet 192.168.2.1 netmask 255.255.255.0 firewall_enable=YES firewall_type=OPEN gateway_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
Stephen D. Kingrea wrote: oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Sounds like you need to recompile your kernel with IPDIVERT (as someone else pointed out) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
i agree. it does seem that i need to recompile: www# ipfw add diver natd all from any to any via dc0 ip_fw_ctl: invalid command ipfw: getsockopt(IP_FW_ADD): Invalid argument would seem to indicate this.. i shall commence, as per yours and JoeB's suggestion and report back thank you both stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Sounds like you need to recompile your kernel with IPDIVERT (as someone else pointed out) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message