ipfw+natd port forward does not work as intended
Hi all I'm on 192.168.1.62, the server running on 192.168.1.3 and listen to port 1234. I want any connection going out of my machine to port 1234 to port forward to 192.168.1.3:1234. But when I attempt to connect to 192.168.1.1:1234 , natd shows following verbose message: natd[2051]: Aliasing to 192.168.1.62, mtu 1500 bytes Out {default}[TCP] [TCP] 192.168.1.62:45642 - 192.168.1.1:1234 aliased to [TCP] 192.168.1.62:45642 - 192.168.1.1:1234 This is FreeBSD 8.1-RELEASE and the kernel is built with following options: options IPFIREWALL # Enable ipfw options IPFIREWALL_FORWARD # Enable ipfw forward options IPDIVERT /etc/rc.conf -- # Enable ipfw firewall firewall_enable=YES firewall_script=/etc/rc.firewall.test # Natd gateway_enable=YES natd_enable=YES natd_interface=msk0 natd_flags=-f /etc/natd.conf sysctl net.inet.ip.forwarding=1 /etc/rc.firewall.test --- #!/bin/sh IFACE=msk0 IPFW=/sbin/ipfw ${IPFW} -f flush ${IPFW} add 100 divert natd ip from any to any 1234 via ${IFACE} ${IPFW} add 6 permit ip from any to any /etc/natd.conf - port 8668 log verbose interface msk0 redirect_port tcp 192.168.1.3:1234 1234 Is there any configuration error above? Best regards Unga ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw+natd startup order fixing
Hi there, a few months ago I inquired about an issue where using ipfw+natd worked on 8.0 but produced errors in 8.1. After searching the bugs database, I found multiple reports about it - http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 and http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928. Both suggest manually loading ipdivert as a workaround, and fixing the rc scripts as solution. The offending changeset is http://svn.freebsd.org/viewvc/base/stable/8/etc/rc.d/ipfw?r1=196045r2=203962, where natd was changed to be run as a post-cmd instead of a pre-cmd. According to svn, this defect has not been addressed in HEAD yet. I've tried modifying the rc scripts, so that natd becomes a dependency of ipfw - which ought to make it start. However, the rc script is marked as KEYWORD: nostart, which excludes it from the normal startup process and from the listing of 'services -r' (finally noticed this). So an alternative way to fix this would to make natd a standalone script, add a rc dependency, and remove the 'firewall_coscript' juggling in ipfw's rc script. What's the best way to get this problem fixed in svn? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw/natd in 8.1
Since a rebuild to FBSD 8.1, I can't get natd to function correctly. Below is my ipfw config. It closely follows the example in the Handbook. http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html (30.6.5.7 An Example NAT and Stateful Ruleset -- Ruleset #1) firewall config (logging enabled temporarily while troubleshooting) 3 16133 2323153 allow ip from any to any via em0 4 672 144006 allow ip from any to any via lo0 00100965322 divert 8668 log ip from any to any in via fxp0 00101 0 0 check-state 00120644542 skipto 500 log udp from any to any out via fxp0 keep-state 00125 203 49916 skipto 500 log tcp from any to any out via fxp0 setup keep-state 00130262184 skipto 500 icmp from any to any out via fxp0 keep-state 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0 00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0 00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0 00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0 00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0 00400101306 allow log udp from any to any dst-port 53,123 in keep-state 00401 0 0 allow log icmp from any to any icmptypes 0,3,11 00420 91112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20 0045024 876 deny log logamount 1 ip from any to any 00500 293 56642 divert 8668 log ip from any to any 0051078 21591 allow log ip from any to any 65535 262 18726 deny ip from any to any /etc/natd.conf use_sockets same_ports unregistered_only interface fxp0 Natd only properly NATs the first packet out: # /sbin/natd -v -f /etc/natd.conf Loading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Loading /lib/libalias_nbt.so Loading /lib/libalias_pptp.so Loading /lib/libalias_skinny.so Loading /lib/libalias_smedia.so natd[10702]: Aliasing to 74.94.69.225, mtu 1500 bytes Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 74.94.69.225:61447 - 65.61.153.152:80 In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to [TCP] 65.61.153.152:80 - 192.168.1.6:61447 In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to [TCP] 65.61.153.152:80 - 192.168.1.6:61447 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to [TCP] 65.61.153.152:80 - 192.168.1.6:61447 In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to [TCP] 65.61.153.152:80 - 192.168.1.6:61447 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 - 65.61.153.152:80 I'm not sure why this happens! Same config worked w/ FBSD 7x. TIA, Casey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw/natd in 8.1
Здравствуйте, Casey. 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0 00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0 00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0 00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0 00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0 you can replace that all by: deny all from any to not me in recv fxp0 in recv/in via are very different things! CS 00100965322 divert 8668 log ip from any to any in via fxp0 CS 00500 293 56642 divert 8668 log ip from any to any What are you trying to do by this rules??? what you do is wrong they do different work with conjactions with keep-state and other rules in your firewall. Devide logic in your firewall! What is one_pass option in you kernel? kes# sysctl -a | grep one_pass maybe you have 1, but must 0 CS 00420 91112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20 this rule will not pass packets to undivert I think, or will have some effect on divert rule CS 0051078 21591 allow log ip from any to any this rule is useless!!! CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 74.94.69.225:61447 - 65.61.153.152:80 CS In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447 before setup all works fine after setup, you firewall fail. established connections does not work CS In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447 CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80 CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80 CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80 try to understand divert, then will try keep-state,setup etc. good luck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw natd rules not loading on startup
Just a sidenote: On Sat, 15 May 2010 02:33:10 +0200, umage theultram...@gmail.com wrote: However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. It's not a good idea to modify /etc/rc. In your case, using the mechanism s of /etc/rc(.shutdown).local is a good way to call scripts that do not fit the rc.d concept. See man rc.local for details. So I would suggest something for /etc/rc.local like this: #!/bin/sh if [ -z ${source_rc_confs_defined} ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf elif [ -r /etc/rc.conf.local ]; then . /etc/rc.conf.local fi fi echo -n custom-firewall /your/firewall/script.sh --here The final dot + newline in the messages will be added by rc, if I remember correctly. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw natd rules not loading on startup
I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type divert natd. However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. I could not find any mention of warnings or errors in the logs. I couldn't find any way of making ipfw log errors. I tried piping my script's output to a file, but it did not say anything useful. Noone I asked knew what to do. I noticed that there has been a revamp of ipfw and its supporting scripts recently, so it's possible something broke along the way (for example, a missing rc dependency on natd?). Advice would be appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw natd rules not loading on startup
On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote: I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type divert natd. However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. Best to ask -STABLE. There's been some breakage of ipfw since end of April. I'm unsure as to whether they've all be resolved yet. Cheers. -- Jonathan Chen | To do is to be -- Nietzsche j...@chen.org.nz | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW + NATD FORWARDING
mr. phreak [EMAIL PROTECTED] writes: Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of people have and I've googled my ass off. Still I can't get it right. I'm trying to forward port 1213 in/out for dc++ usage. this is my setup: __WAN router (192.168.1.1) | | (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) ) | |__ LAN (10.10.10.0/24) I use stateful rules and I'd like to forward port 1213 both ways using natd. I know NATD should take care of this as long as i allow port 1213 in/out from the firewall. I've tried this at almost every position in the ipfw.rules and now i ask where i should put it?? i.e it's not there right now. I've tried: $cmd [num] allow all from any to any 1213 (at various positions in ipfw.rules) still doesn't work. $cmd [num] divert natd all from any to any 1213. Can someone help me? Your firewall configuration is rather unconventional, but the basic idea makes sense. What isn't clear is how you want to use this dc++ program within your infrastructure. Because you are using dynamic rules, I assume that you want the connections to always originate inside your network. If that is the case, you shouldn't need any special configuration to natd (because every connection will be learned from the initial packet). If that's not the case, you will need to pick one internal machine to receive the connections coming in from outside. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW + NATD FORWARDING
Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of people have and I've googled my ass off. Still I can't get it right. I'm trying to forward port 1213 in/out for dc++ usage. this is my setup: __WAN router (192.168.1.1) | | (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) ) | |__ LAN (10.10.10.0/24) I use stateful rules and I'd like to forward port 1213 both ways using natd. I know NATD should take care of this as long as i allow port 1213 in/out from the firewall. I've tried this at almost every position in the ipfw.rules and now i ask where i should put it?? i.e it's not there right now. I've tried: $cmd [num] allow all from any to any 1213 (at various positions in ipfw.rules) still doesn't work. $cmd [num] divert natd all from any to any 1213. Can someone help me? J Here is my files: my natd.conf: use_sockets yes same_ports yes dynamic yes redirect_port tcp 10.10.10.2:1213 1213 redirect_port udp 10.10.10.2:1213 1213 ipfw.rules: ### start ipfw rules # ## ipfw -q -f flush # Delete all # INIT # oif=ath0 # out NIC cmd=ipfw -q add # quiet skip=skipto 4000 # skipto NATD. # BEGIN RULES # # # LAN NO RESTRICTIONS ### # $cmd 00300 allow all from any to any via rl0 # LOOPBACK NO RESTRICTIONS ## # $cmd 00400 allow all from any to any via lo0 # NATD IN? THEN TRANSLATE ### # $cmd 00450 divert natd ip from any to any in via $oif # CHECK-STATE ### # $cmd 00500 check-state ### ( OUTBOUND ) ### # DNS ## $cmd 00600 $skip tcp from any to 195.67.199.39 53 out via $oif setup keep-state $cmd 00610 $skip udp from any to 195.67.199.39 53 out via $oif keep-state # DHCP # $cmd 00700 $skip udp from any to any 67 out via $oif keep-state # HTTP # $cmd 00800 $skip tcp from any to any 80 out via $oif setup keep-state # HTTPS $cmd 00810 $skip tcp from any to any 443 out via $oif setup keep-state # POP SMTP ### $cmd 00900 $skip tcp from any to any 25 out via $oif setup keep-state $cmd 00910 $skip tcp from any to any 110 out via $oif setup keep-state # FREEBSD CVS ## $cmd 01000 $skip tcp from me to any out via $oif setup keep-state uid root # ALLOW PING OUT ### $cmd 01100 $skip icmp from any to any out via $oif keep-state # SSH ## $cmd 01200 $skip tcp from any to any 22 out via $oif setup keep-state # WHOIS $cmd 01300 $skip tcp from any to any 43 out via $oif setup keep-state # FTP ## $cmd 01400 $skip tcp from any to any 21 out via $oif setup keep-state # IRC ## $cmd 01500 $skip tcp from any to any 6667 out via $oif setup keep-state $cmd 01510 $skip tcp from any to any out via $oif setup keep-state $cmd 01520 $skip tcp from any to any 5020 out via $oif setup keep-state # SHOUTCAST $cmd 01600 $skip tcp from any to any 9000 out via $oif setup keep-state ### ( INBOUND ) # Deny all inbound from non-routable ### $cmd 02000 deny all from 192.168.0.0/16 to any in via $oif $cmd 02010 deny all from 172.16.0.0/12 to any in via $oif $cmd 02020 deny all from 10.0.0.0/8 to any in via $oif $cmd 02030 deny all from 127.0.0.0/8 to any in via $oif $cmd 02040 deny all from 0.0.0.0/8 to any in via $oif $cmd 02050 deny all from 169.254.0.0/16 to any in via $oif $cmd 02060 deny all from 192.0.2.0/24 to any in via $oif $cmd 02070 deny all from 204.152.64.0/23 to any in via $oif $cmd 02080 deny all from 224.0.0.0/3 to any in via $oif # DENY PING INBOUND $cmd 02100 deny icmp from any to any in via $oif # DENY IDENT ### $cmd 02200 deny tcp from any to any 113 in via $oif # DENY NETBIOS # $cmd 02300 deny tcp from any to any 137 in via $oif $cmd 02310 deny tcp from any to any 138 in via $oif $cmd 02320 deny tcp from any to any 139 in via $oif $cmd 02330 deny tcp from any to any 81 in via $oif # DHCP # $cmd 02400 allow udp from any to 192.168.1.1 68 in via $oif keep-state # HTTP # $cmd 02500 allow tcp from any to me 80 in via $oif setup limit src-addr 2 # HTTPS $cmd 02600 allow
Re: IPFW + NATD rules
On Sun, Aug 27, 2006 at 01:04:54PM +0500, ?? ?? wrote: I'm a junior in FreeBSD, and I faced with problem. You should know that others have mailers that are thread enabled. This means that when you compose a new mail, but you that the reply sort cut others may not read this, because it end up in the list. I redirected the mail to questions@ becuase this is not related to the stable development brance. I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert incoming requests to my web-server, placed in DeMilitarized Zone (DMZ). To do this I wrote down settings in /etc/rc.conf as shown above: natd_flags=-redirect_port tcp 80 192.168.1.234 80 natd_flags=-redirect_poort tcp 443 192.168.1.234 443 You proberbly can not have two lines. I think, that all packets incoming from Internet will be diverted from the External interface via DMZ interface to my We-server. Is it right? If not, why not, and what the way to make it working? Yes, but you made some mistakes: 1. You have two lines, where only one is allowed. 2. The file format is wrong: should be tcp forward_ip:port port 3. You made a typo 4. Did you setup ipfw? I've done this with a seperate config file. firewall_enable=YES firewall_type=/etc/firewall.conf natd_enable=YES natd_flags=-f /etc/natd.conf natd_interface=fxp0 /etc/firewall.conf contains: add divert 8668 ip from any to any (note: src_ip and dst_ip changes here, so keep this in mind if you add rules) add allow ip from any to any /etc/natd.conf contains: redirect_port tcp ip_to_goto:port local_port Did you setup ipfw and directed packes to natd? You also need to setup i -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pppoe + ipfw + natd and jails
Hi, I'm runnig fbsd as a router at home for dsl. Everything was runing fine until one day. Suddenly all pcs in lan stoped opening foreign web pages and connecting to foreign hosts, though I could ping those hosts. That seemd like isp problem so i called them and they said everything is fine. So I started to mess around with ipfw rules. So heres my conf.: dsl modem ^ | [tun0] [rl0] FBSD [bind jail with mldonkey] [squid jail] [rl1] | | ^ LAN The conf. of ipfw and natd that worked earlier #ipfw list 05000 divert 8668 ip from any to any via tun0 06000 allow ip from any to any 65535 deny ip from any to any #cat natd.conf dynamic yes same_ports yes use_sockets yes unregistered_only yes redirect_port tcp 192.168.0.253:4662 4662 redirect_port udp 192.168.0.253:4662 4662 redirect_port tcp 192.168.0.253:4672 4672 redirect_port udp 192.168.0.253:4672 4672 redirect_port tcp 192.168.0.253:6346 6346 redirect_port udp 192.168.0.253:6346 6346 redirect_port tcp 192.168.0.253:6347 6347 redirect_port udp 192.168.0.253:6347 6347 redirect_port tcp 192.168.0.253:6881-6889 6881-6889 redirect_port udp 192.168.0.253:6881-6889 6881-6889 redirect_port tcp 192.168.0.253:1214 1214 redirect_port tcp 192.168.0.253: redirect_port tcp 192.168.0.253: redirect_port udp 192.168.0.253: redirect_port udp 192.168.0.253:2234 2234 [192.168.0.253 is a bind jail with mldonkey] #cat rc.conf gateway_enable=YES hostname=gw.anm.lan ifconfig_pcn0=down ifconfig_rl1=inet 192.168.0.254 netmask 255.255.255.0 ifconfig_rl0=up ifconfig_tun0=up ppp_enable=YES ppp_profile=takas ppp_mode=ddial firewall_enable=YES firewall_type=/etc/firewall/ipfw.rules firewall_quiet=NO natd_enable=YES natd_interface=tun0 natd_flags=-f /etc/firewall/natd.conf usbd_enable=NO sendmail_enable=NONE syslogd_flags=-b 192.168.0.254 IPs to jails aliased added when jail is starting. I use jailctl util for that. #jls JID IP Address Hostname Path 2 192.168.0.252 squid.anm.lan /usr/jails/squid.anm.lan 1 192.168.0.253 ns0.anm.lan/usr/jails/ns0.anm.lan Ok now to the problem solving. when i add this line to ipfw foreign pages are loaded, but mldonkey isn't able to connect: 01000 allow ip from any to any 05000 divert 8668 ip from any to any via tun0 06000 allow ip from any to any 65535 deny ip from any to any so i used the handbook for ipfw and natd and came to this rule set: add 00020 allow all from any to any via rl1 add 00030 allow all from any to any via lo0 add 00100 divert natd ip from any to any in via tun0 add 00101 check-state add 00200 skipto 5000 all from any to any out via rl0 keep-state add 05000 divert natd ip from any to any out via tun0 add 06000 allow all from any to any add 65535 deny ip from any to any but everything is the same: foreign pages are not loaded, mldonkey is downloading. Thanks for help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW+natd Cisco VPN tunnelling....
Hi, all-- I'm working on a new firewall running FreeBSD-5.4, IPFW, and natd for a small client network of about 50 boxes, using a single routable IP via a T1 link. They want to set up a Cisco 87x router as a VPN endpoint, my part is to set up forwarding of the VPN traffic via the firewall to this cisco. The firewall box is a Dell 2850 with dual Intel em NICs. Since I'm waiting for someone else to get that box up, I decided to check here whether my config is sane. I'm using a normal divert rule to forward traffic to natd, which is working fine, and have this as /etc/natd.conf: # NATD configuration options dynamic yes interface em1 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes redirect_port tcp 192.168.1.2:www www redirect_proto gre ciscovpn redirect_port udp ciscovpn:500 500 redirect_port tcp ciscovpn:1 1 redirect_port tcp ciscovpn:pptp pptp ...where ciscovpn is obviously the hostname for the Cisco 870 box. Is there any way to convince natd to re-read the natd.conf file short of killing and restarting the daemon entirely? The manpage didn't say so, and kill -HUP terminates the process. -- -Chuck PS: It seems unfortunate that not including a natd_interface statement in rc.conf causes /etc/rc.firewall to not include a divert rule, but that can be corrected by using your own rules in a file and setting firewall_type. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW+natd Cisco VPN tunnelling....
Chuck Swiger wrote: Is there any way to convince natd to re-read the natd.conf file short of killing and restarting the daemon entirely? The manpage didn't say so, and kill -HUP terminates the process. If there was, I would expect /etc/rc.d/natd to support a reload option, but I don't see one. You could try it, but if not then I suggest sh /etc/rc.d/natd restart Can't help on VPN, I'm afraid. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw + natd = some sites won't work :-S
Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgpnMEVBLR44V.pgp Description: PGP signature
RE: ipfw + natd = some sites won't work :-S
Seeing snippet of your firewall rules is not giving us enough info to work on. You have to post complete rule set because of the way rules are processed. Also an explanation of your private network layout and how you connect to the internet is needed. List sites you can not access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frank de Bot Sent: Monday, May 09, 2005 6:42 PM To: freebsd-questions@freebsd.org Subject: ipfw + natd = some sites won't work :-S Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Emanuel Strobl wrote: Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) | | = Server 1 = IP: 10.0.5.2 |IP: 10.0.3.1 | | (ipip tunnel) | = Server 2 = IP: 10.0.3.2 |IP %external_ip% | % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 - 10.0.3.2 - %internet% During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
The ipfw rules standing without any other rules and '65535 allow ip from any to any' as last rule give the same behaviour. So it's not a firewall case. The network layout is posted in my reaction to Emanuel. Sites I can't access are: www.tweakers.net www.fok.nl www.yahoo.com www.userfriendly.org www.thinkgeek.com Sites i CAN access: www.google.com www.gmail.com www.fastclick.net fbsd_user wrote: Seeing snippet of your firewall rules is not giving us enough info to work on. You have to post complete rule set because of the way rules are processed. Also an explanation of your private network layout and how you connect to the internet is needed. List sites you can not access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frank de Bot Sent: Monday, May 09, 2005 6:42 PM To: freebsd-questions@freebsd.org Subject: ipfw + natd = some sites won't work :-S Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 01:04 schrieb Frank de Bot: Emanuel Strobl wrote: Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) = Server 1 = IP: 10.0.5.2 |IP: 10.0.3.1 | | (ipip tunnel) = Server 2 = IP: 10.0.3.2 |IP %external_ip% % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 - 10.0.3.2 - %internet% The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgprDecoTwkHs.pgp Description: PGP signature
Re: ipfw + natd = some sites won't work :-S
Emanuel Strobl wrote: The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry Which tunnel forms don't experience the reducing of mss? I've chosen for a ipip tunnel because it was a tunnen solutions which seemed to be the most simple. Once I got that working I was planning to change it to VPN or IPSec tunnel. I got my reason for having that tunnel between the boxes (Server 2 is a server far apart from Server 1) Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 01:19 schrieb Frank de Bot: Emanuel Strobl wrote: The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry Which tunnel forms don't experience the reducing of mss? I've chosen for Hm, I don't have that handy in my mind right now. I had to look for some RFCs but it's quiet late here in germany, if I knew it by rote I'd tell you. I have similar configurations with IPSec without that problem (IPSec (ESP) is another protocol parallel to IP, not a IP in IP tunnel) -Harry a ipip tunnel because it was a tunnen solutions which seemed to be the most simple. Once I got that working I was planning to change it to VPN or IPSec tunnel. I got my reason for having that tunnel between the boxes (Server 2 is a server far apart from Server 1) Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgp4O5PuF7BMx.pgp Description: PGP signature
Re: Question about ipfw, natd and port forwarding.
Deling Ren [EMAIL PROTECTED]: Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. I am using ipfw and natd. I already got nat running but I am having problem with port forwarding. I am trying to forward port 80 on the nat box to an internal machine (192.168.0.7). I have the following as part of I have no problem connecting port 80 on the nat box from outside. But as I added stateful ipfw rules, it stops working. Running nmap from outside says port 80 is filtered. I am not sure how to configure the rules to enable port forwarding. Any help will be appreciated. Thanks. 5 allow ip from any to any via $iif This is a limitation of ipfw, nat cannot be used with keep-state rules. If $iif above is ppp you can get around this by configuring ppp(8) to perform nat. Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
solution: ipfw, natd
Hi! With this order (rules 201,501,502), everything works well. Other orders, although intuitivly correct, don't behave as expected. I tried divert, allow all from internal, check-state and nothing happened. # enable the natd add 00201 divert natd all from any to any via sis0 ### TCP ### # per default only outgoing tcp connections, established from my host are allowed # check against the dynamic rulesets, then allow traffic from internal network add 00501 check-state add 00502 allow all from any to any via vr0 keep-state add 00503 deny tcp from any to any in established via sis0 add 00504 deny all from any to any frag in via sis0 # allow all tcp setup connection add 00505 allow tcp from any to any out via sis0 setup keep-state Was hard to find, not well documented. The handbook suggests firewalltype OPEN, which is in fact not very sensible! A few more words on this would be fine or a reference to the Ipfw-Advanced-Supplement-HOWTO, which covers this case. Florian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about ipfw, natd and port forwarding.
Deling Ren [EMAIL PROTECTED] writes: Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. I am using ipfw and natd. I already got nat running but I am having problem with port forwarding. I am trying to forward port 80 on the nat box to an internal machine (192.168.0.7). I have the following as part of natd_flags: -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80 where xx.xx.xx.xx is the external IP of the nat box. Using the following ipfw rules: 00050 divert 8668 ip from any to any via sis0 65535 allow ip from any to any I have no problem connecting port 80 on the nat box from outside. But as I added stateful ipfw rules, it stops working. Running nmap from outside says port 80 is filtered. I am not sure how to configure the rules to enable port forwarding. Any help will be appreciated. Thanks. Deling Here are my ipfw rules: 5 allow ip from any to any via $iif 00010 allow ip from any to any via lo0 00014 divert 8668 ip from any to any in via $oif 00015 check-state 00060 skipto 800 tcp from any to any out via $oif setup keep-state 00080 skipto 800 icmp from any to any out via $oif keep-state 00130 skipto 800 udp from any to any out via $oif keep-state 00340 allow icmp from any to me in via $oif keep-state 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state 00380 allow tcp from any to me dst-port 22 in via $oif setup limit src-addr 5 00400 deny log logamount 5 ip from any to any in via $oif 00450 deny log logamount 5 ip from any to any out via $oif 00800 divert 8668 ip from any to any out via $oif 00801 allow ip from any to any 00999 deny log logamount 5 ip from any to any Stateful rules are quite tricky in combination with address rewriting, because the state being saved won't match the packet after it's passed through the rewriting. This rule set seems to handle that by splitting the redirect rule into one for each direction, but I'd still look in that direction for the trouble. Try removing the log limits and seeing what happens when an HTTP packet gets dropped. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Question about ipfw, natd and port forwarding.
Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. I am using ipfw and natd. I already got nat running but I am having problem with port forwarding. I am trying to forward port 80 on the nat box to an internal machine (192.168.0.7). I have the following as part of natd_flags: -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80 where xx.xx.xx.xx is the external IP of the nat box. Using the following ipfw rules: 00050 divert 8668 ip from any to any via sis0 65535 allow ip from any to any I have no problem connecting port 80 on the nat box from outside. But as I added stateful ipfw rules, it stops working. Running nmap from outside says port 80 is filtered. I am not sure how to configure the rules to enable port forwarding. Any help will be appreciated. Thanks. Deling Here are my ipfw rules: 5 allow ip from any to any via $iif 00010 allow ip from any to any via lo0 00014 divert 8668 ip from any to any in via $oif 00015 check-state 00060 skipto 800 tcp from any to any out via $oif setup keep-state 00080 skipto 800 icmp from any to any out via $oif keep-state 00130 skipto 800 udp from any to any out via $oif keep-state 00340 allow icmp from any to me in via $oif keep-state 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state 00380 allow tcp from any to me dst-port 22 in via $oif setup limit src-addr 5 00400 deny log logamount 5 ip from any to any in via $oif 00450 deny log logamount 5 ip from any to any out via $oif 00800 divert 8668 ip from any to any out via $oif 00801 allow ip from any to any 00999 deny log logamount 5 ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with IPFW + NATD + Passive FTP
James A. Coulter [EMAIL PROTECTED] writes: Here is my IPFW ruleset and my rc.conf. Hoping someone can point out the error of my ways. You have a very restrictive ruleset there. On my home network, I allow everything to go out from inside. If you don't do that, my favorite options would be to either use the '-punch_fw' option to natd, or run some sort of FTP proxy on the gateway. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Help with IPFW + NATD + Passive FTP
Hoping someone can provide a solution to the following problem: I am using a FBSD 4.10 box as a gateway/router/firewall between a cable modem and my home lan and its been working great for several months. All machines behind my firewall are able to connect to the outside world for http, e-mail, ping, ssh, and active ftp transfers Last night I installed FBSD 4.10 on a box behind the firewall. The installation went fine, but when I attempted to install some packages via the FBSD ports collection I ran into the known problem establishing passive FTP connections through IPFW with NATD enabled. I am able to establish ftp connections, but when the client switches to passive mode the connection hangs. So I am unable to use the ports collection or cvsup on the FBSD box behind the firewall I have been googling for several hours and found lots of references, but all the solutions I have found appear to be about allowing passive FTP connections on the box running IPFW and NATD (which my ruleset already allows - no problems using ports or cvsup from the gateway/router/firewall). I've tried several different configurations in the IPFW ruleset, but so far no luck. Here is my IPFW ruleset and my rc.conf. Hoping someone can point out the error of my ways. TIA, Jim #!/bin/sh Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=dc1 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via dc0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install CVSUP) functions # Basically give user root GOD privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root $cmd 071 $skip tcp from me to any out via $pif setup keep-state uid jacoulter # Tried this to allow passive ftp from behind firewall - didn't work #$cmd 073 $skip tcp from any to any out via $pif setup keep-state uid root #$cmd 074 $skip tcp from any to any out via $pif setup keep-state uid jacoulter # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp
RE: IPFW NATD
snip Hi I'm trying to setup natd to port forward to a http,ftp and vnc server behind the natd box But I only want a customer from their static ip address to be able to login and block everything else Is this possible in an natd enviroment? Any examples? Port forwarding works ok, I just can't figure out the rules to stop everyone and allow this one client Cheers Brian Brian, If you've got the portforwarding working, then a few IPFW rules will add the security you're looking for. If your divert rule is number 100, then add a few rules above it, like this: ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to [public.ip.of.nat.box] [VNC port] The first three rules pass the traffic from the specified IP, to the divert rule, to natd, and get portforwaded. Any other traffic on those ports get blocked, and doesn't get diverted. snip This worked a treat, thanks very much. Brian --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW NATD
Hi I'm trying to setup natd to port forward to a http,ftp and vnc server behind the natd box But I only want a customer from their static ip address to be able to login and block everything else Is this possible in an natd enviroment? Any examples? Port forwarding works ok, I just can't figure out the rules to stop everyone and allow this one client Cheers Brian --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW NATD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sent: Thursday, October 14, 2004 11:01 AM To: 'FreeBSD Questions' Subject: IPFW NATD Hi I'm trying to setup natd to port forward to a http,ftp and vnc server behind the natd box But I only want a customer from their static ip address to be able to login and block everything else Is this possible in an natd enviroment? Any examples? Port forwarding works ok, I just can't figure out the rules to stop everyone and allow this one client Cheers Brian --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Brian, If you've got the portforwarding working, then a few IPFW rules will add the security you're looking for. If your divert rule is number 100, then add a few rules above it, like this: ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to [public.ip.of.nat.box] [VNC port] The first three rules pass the traffic from the specified IP, to the divert rule, to natd, and get portforwaded. Any other traffic on those ports get blocked, and doesn't get diverted. Kevin Glick ITS Manager Sterling Business Forms [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW/NATD Transparent Proxy
Your ipfw rules are invalid. They seem to work perfectly. My only gripe is that static rule #15100 is required to succeed with redirect_port from 1.2.3.4:80 to 192.168.2.250:80 when 192.168.1.247 requests a web page using the domain name for 1.2.3.4. I'm looking for a solution that doesn't require rule #15100. This causes the dynamic internal state table to cross match packets in error because it does not keep track of which interface the packet is from. This has been a long time bug in stateful rules for NATed interfaces. Technically your whole stateful environment is being forced to look like its working when in fact its all most useless. How can that be? If I'm on 192.168.2.100, I can make a request to www.cnn.com and it works fine. Yet I have no rule that allows any packets to be accepted IN via my outside nic (de0), and no rule that allows any port 80 OUT to my private lan on de2. That sounds to me like the dynamic rules are working. How else are the packets getting into de0 and out to de2? That is why the stateful + nated rule example from the new firewall rewrite uses skipto rules to work around this problem. I'm using skipto's as well, just not using the keep-state parameter on the skipto rule. I don't believe the transparent proxy problem I'm having is a result of skipto. It's a chicken/egg issue when using stateful rules because either NATD or the original nic remembers that the packet changed when it got redirected. If I allow the stateful rule first, it gets created as 192.168.1.247 - 1.2.3.4 and immediately starts communicating with the outside interface due to the dynamic rule bypassing the rest of the firewall. So the packets never get to go through the divert rule to be redirected to 192.168.2.250. If I go through divert first (as in my firewall example), the packet matches rule 100, the destination gets changed to 192.168.2.250, and the packet continues down through the firewall. Great! Next, it matches on 300 and gets passed to 15000 where a the dynamic rule 192.168.1.247 - 192.168.2.250 gets created. More greatness! When 192.168.2.250 replies to 192.168.1.247, that packet also matches rule 100, gets diverted and NATD rewrites the source to the original IP address so the packet is now configured as 1.2.3.4 - 192.168.1.247. Continued greatness! But now, the packet gets denied at 15200 (remember 15100 does not exist in this example) because there's no rule to allow 1.2.3.4 to communicate with 192.168.1.247. Hence, I have to add in #15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247. In my example ruleset I simply allowed anything to go out via de1. Basically the unpublished rule of thumb is ipfw keep-state rules can not be used on the internal interface and external interface in same rule set. Keep-state rules can only be used on the external interface. There are no error messages to enforce this. Actually, the only problem I've run into is the combination of external/internal with NATD doing a redirect_port or redirect_address. I've not run into any problems with external/internal and normal NATD address translations. J IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW/NATD Transparent Proxy
A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. You need to post more info about your system config. Post the full contents of your rc.conf and firewall rules files. The limit you write about ipfilter is not true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: IPFW/NATD Transparent Proxy Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/NATD Transparent Proxy
On Sunday 08 August 2004 04:38 pm, JJB wrote: A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. You need to post more info about your system config. Post the full contents of your rc.conf and firewall rules files. My rc.conf file is properly configured and has no bearing on my question. My gateway works fine from public to private IP space and private to public IP space. I've tried so many combination of rules and NATD options that I wouldn't know what to post. What I need is someone who has completed a similar configuration to send me their configuration (change the IP numbers if you like). From what I can see, I don't believe this is possible with stateful rules. Let me add that I've been successful with stateless rules, but I'd like to use 100% stateful if possible. The limit you write about ipfilter is not true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: IPFW/NATD Transparent Proxy Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW/NATD Transparent Proxy
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 5:43 PM To: [EMAIL PROTECTED] Subject: Re: IPFW/NATD Transparent Proxy On Sunday 08 August 2004 04:38 pm, JJB wrote: A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Could you send us (or me, peronally) your firewall script, and the address you want to use? Thanks. Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/NATD Transparent Proxy
--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote: No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. It seems to me that the best way to handle this is through DNS. Hosts within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250 instead of 1.2.3.4. Typically, you would have an externally visible DNS server which is authorititave for your domain; and which lists only the publicly visible machines and IP addresses. (It should -NOT- handle referrals at all.) Somewhere within your LAN you would have another DNS server that is authoritative for your internal domain and IP range. It may handle referrals; but it is safer to have a completely separate DNS server which just handles referrals (and possibly caches results) - it should be explicitly told to use your LAN's authoritative server for your domain and IP range. With this setup, outside machines see the public address, which is redirected via your firewall/NAT rules; but internal machines see the internal address and access it directly. -Pat ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/NATD Transparent Proxy
de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com) de1 = 192.168.1.1 de2 = 192.168.2.1 When 192.168.1.247 requests a web page from MYDOMAIN.COM the request needs to be forwarded to 192.168.2.250:80 In the ruleset below, 15100 is required for this to work. If I pull out 15100 I get no response from the web page because there is no rule to allow 1.2.3.4 back out to 192.168.1.247. I can't find a solution that does not require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247. In other words, I can't find a set of rules that allows dynamic setup of 192.168.1.247: - 1.2.3.4:80 192.168.1.247: - 192.168.2.250:80 I hope this information helps. Thanks in advance for pointing me in the right direction. IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf On Sunday 08 August 2004 06:30 pm, Eric Crist wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 5:43 PM To: [EMAIL PROTECTED] Subject: Re: IPFW/NATD Transparent Proxy On Sunday 08 August 2004 04:38 pm, JJB wrote: A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Could you send us (or me, peronally) your firewall script, and the address you want to use? Thanks. Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw + natd + stateful rules. For the archives
For the list's archives. Here is everything you need for ipfw/natd/stateful. Add these statements to kernel source and compile kernel to enable # Enable kernel IPFW. # option IPFIREWALL # Adds filtering code into kernel option IPFIREWALL_VERBOSE # enable logging thru syslogd(8) option IPFIREWALL_VERBOSE_LIMIT=5 # stop attack via syslog flooding option IPDIVERT# needed to use natd from IPFW /etc/rc.conf # Required For IPFW kernel firewall support firewall_enable=YES # Start daemon firewall_script=/etc/ipfw.rules # run my custom rules if present # sh /etc/ipfw.rules will load # new rules file after editing. firewall_logging=YES # Enable events logging natd_enable=YES # Required For IPFW nat function natd_interface=rl0 # interface name of public internet Nic natd_flags=-dynamic -m #-m = preserve port numbers if possible Here is the /etc/ipfw.rules file without comments. #!/bin/sh cmd=ipfw -q add skip=skipto 500 pif=rl0 ks=keep-state good_tcpo=22,25,37,43,53,80,443,110,119 ipfw -q -f flush $cmd 002 allow all from any to any via xl0 # exclude Lan traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks $cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $cmd 135 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D E multicast # Authorized inbound packets $cmd 400 allow udp from xx.70.207.54 to any 68 in $ks $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 $cmd 425 allow icmp from any to any icmptypes 0,3,11,12 in via $pif $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any end of rules ## Here is the /etc/ipfw.rules file with comments. #!/bin/sh Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=rl0 # public interface name of Nic card # facing the public internet # # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan. # Change xl0 to your Lan Nic card interface name # $cmd 005 allow all from any to any via xl0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by an allow keep-state statement. # $cmd 015 check-state # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to xx.168.240.2 53 out via $pif setup keep-state $cmd 021 $skip udp from any to xx.168.240.2 53 out via $pif keep-state # Allow out access to my ISP's DHCP server for cable
problems with ipfw + natd rules
Hello, i have a problem with ipfw + natd. The problem is that my FreeBSD server isn't routing internet. First I have used FreeBSD4.9-STABLE, then i tried to upgrade to FreeBSD4.9-RELEASE-p4. Result is the same - no internet for lan users. Take a look at my configuration files: rc.conf: defaultrouter=213.190.42.1 hostname=localhost ifconfig_rl0=inet 192.168.0.1 netmask 255.255.255.0 # inside (lan) interface ifconfig_rl1=inet 213.190.42.48 netmask 255.255.255.0 # outside (internet) interface #some other stuff goes here gateway_enable=YES natd_enable=YES natd_program=/sbin/natd natd_interface=rl1 natd_flags= firewall_enable=YES firewall_script=/usr/local/etc/ipfw.conf firewall_quiet=YES firewall_logging=YES ipfw.conf: fwcmd=/sbin/ipfw -q ${fwcmd} -f flush ${fwcmd} add 100 divert 8668 ip from any to any via rl1 ${fwcmd} add 200 pass ip from any to any via lo0 ${fwcmd} add 300 deny log ip from any to 127.0.0.0/8 ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 ${fwcmd} add 500 pass tcp from any to any 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 ${fwcmd} add 600 pass udp from any to any 53 via rl1 ${fwcmd} add 700 pass udp from any 53 to any via rl1 ${fwcmd} add 800 pass ip from any to any via rl0 ${fwcmd} add 900 deny log all from any to any via rl1 # ipfw show 00100 80 48557 divert 8668 ip from any to any via rl1 002000 0 allow ip from any to any via lo0 003000 0 deny log ip from any to 127.0.0.0/8 00400 54 59678 allow tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 00500 26 1473 allow tcp from any to any dst-port 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 006003177 allow udp from any to any dst-port 53 via rl1 007000 0 allow udp from any 53 to any via rl1 00800 226 101368 allow ip from any to any via rl0 00900 62 40857 deny log ip from any to any via rl1 65535 1598 333640 deny ip from any to any /etc/sysctl.conf: net.link.ether.ipfw=1 # cat /etc/services | grep natd natd8668/divert # Network Address Translation When I comment out 400 and 500 rules and add allow all from any to any via rl1 it's all ok. The problem is somewhere in 400 and 500 rules. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with ipfw + natd rules
On Wed, 2004-03-31 at 20:27, Prodigy wrote: ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 ${fwcmd} add 500 pass tcp from any to any 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 When I comment out 400 and 500 rules and add allow all from any to any via rl1 it's all ok. The problem is somewhere in 400 and 500 rules. Those lines (400 and 500) sure look like they could cause trouble. Try chopping them up per port number/range across multiple lines. ipfw and natd are nice for the quick-and-dirty setups, but if you need something more predictable, configurable, and debuggableswitch to ipfilter and ipnat. You'll find yourself very much in control over your firewall/nat environment. Andre ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with ipfw + natd rules
I tried to allow only 80 port, but the result is the same. I have also tried ipf + ipnat, but i need to block internet connection to some users by MAC address, and ipf doesn't know, what MAC address is. Maybe i can block MAC addresses with ipf + ipnat somehow? Btw FreeBSD version is 4.9. On Wed, 2004-03-31 at 20:27, Prodigy wrote: ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 ${fwcmd} add 500 pass tcp from any to any 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 When I comment out 400 and 500 rules and add allow all from any to any via rl1 it's all ok. The problem is somewhere in 400 and 500 rules. Those lines (400 and 500) sure look like they could cause trouble. Try chopping them up per port number/range across multiple lines. ipfw and natd are nice for the quick-and-dirty setups, but if you need something more predictable, configurable, and debuggableswitch to ipfilter and ipnat. You'll find yourself very much in control over your firewall/nat environment. Andre ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw + natd - not sharing internet for LAN users
Hi, I have problem with freebsd. I'm using ipfw + natd to share internet connection to my network (LAN) users, but my server is not sharing internet. My server has internet. It pings google.com, etc. Machine: FreeBSD4.9-STABLE Kernel configuration: # ... Some other stuff goes here options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT # Firewall is accepting all packets by default options RANDOM_IP_ID options TCP_DROP_SYNFIN options IPSTEALTH options IPDIVERT # ... Some other stuff goes here rc.conf: defaultrouter=213.190.42.1 hostname=panemune.net ifconfig_ed0=inet 192.168.0.1 netmask 255.255.255.0 # Network (LAN) interface ifconfig_ed1=inet 213.190.42.48 netmask 255.255.255.0 # Internet (outside) interface # ... here goes some other stuff, like sshd_enable=YES, etc gateway_enable=YES firewall_enable=YES firewall_quiet=YES firewall_logging=YES natd_enable=YES natd_interface=ed1 natd_flags=-f /usr/local/etc/natd.conf # cat /usr/local/etc/natd.conf same_ports yes use_sockets yes unregistered_only yes (also tried without these three lines) # ipfw show 65535 1546 115746 allow ip from any to any # sysctl -a | grep forward net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 1 Lan users still don't have internet... Any help would be appreciated. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd - not sharing internet for LAN users
- Original Message - From: Prodigy [EMAIL PROTECTED] To: freebsd-questions [EMAIL PROTECTED] Sent: Tuesday, March 09, 2004 10:53 AM Subject: ipfw + natd - not sharing internet for LAN users snip # ipfw show 65535 1546 115746 allow ip from any to any This is your problem. Even though you're running NATD, you need to divert all traffic to NATD in the firewall. Try adding a divert entry to your firewall like this: ipfw add 100 divert natd all from any to any via ed1 Then check /etc/services and make sure that there's an entry for natd: natd8668/divert # Network Address Translation -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw / natd does not allow lan traffic to reach external numbers
Hi, I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here a list with some details: *) The FreeBSD box uses natd and ipfw, and have two external IP:s, lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. *) natd is used to redirect access to external IP addresses and ports to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, where for example webservers are located. *) natd rules: natd_flags=-redirect_address 192.168.0.20 aaa.bbb.ccc.20 -redirect_port tcp 192.168.0.21:25-52 25-52 -redirect_port udp 192.168.0.21:25-52 25-52 -redirect_port tcp 192.168.0.30:80 80 -redirect_port udp 192.168.0.30:80 80 -redirect_port tcp 192.168.0.21:54-79 54-79 -redirect_port udp 192.168.0.21:54-79 54-79 -redirect_port tcp 192.168.0.21:81-722 81-722 -redirect_port udp 192.168.0.21:81-722 81-722 -redirect_port tcp 192.168.0.21:3306-4559 3306-4559 -redirect_port udp 192.168.0.21:3306-4559 3306-4559 *) ipfw lets things through: 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any Problem: Most things works just fine, external access are redirected to correct ports, and the webservers work just fine. BUT the problem comes when a box on the LAN tries to reach a site residing on 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get error: Unable to connect to remote host. Connecting from a LAN machine to the same site using the _internal_ IP works fine. Connecting to other external IPs also works fine. I want to be able to connect from LAN boxes to the external IP:s, for example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very thankful for all comments on this matter. Regards, Smartnet Sverige AB Johannes Angeldorff ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw / natd does not allow lan traffic to reach externalnumbers
Hello, On Sun, 2003-08-10 at 22:38, Johannes Angeldorff wrote: Hi, I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here a list with some details: *) The FreeBSD box uses natd and ipfw, and have two external IP:s, lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. *) natd is used to redirect access to external IP addresses and ports to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, where for example webservers are located. *) natd rules: natd_flags=-redirect_address 192.168.0.20 aaa.bbb.ccc.20 -redirect_port tcp 192.168.0.21:25-52 25-52 -redirect_port udp 192.168.0.21:25-52 25-52 -redirect_port tcp 192.168.0.30:80 80 -redirect_port udp 192.168.0.30:80 80 -redirect_port tcp 192.168.0.21:54-79 54-79 -redirect_port udp 192.168.0.21:54-79 54-79 -redirect_port tcp 192.168.0.21:81-722 81-722 -redirect_port udp 192.168.0.21:81-722 81-722 -redirect_port tcp 192.168.0.21:3306-4559 3306-4559 -redirect_port udp 192.168.0.21:3306-4559 3306-4559 *) ipfw lets things through: 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any Problem: Most things works just fine, external access are redirected to correct ports, and the webservers work just fine. BUT the problem comes when a box on the LAN tries to reach a site residing on 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get error: Unable to connect to remote host. Connecting from a LAN machine to the same site using the _internal_ IP works fine. Connecting to other external IPs also works fine. I want to be able to connect from LAN boxes to the external IP:s, for example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very thankful for all comments on this matter. This is not possible. You have to use another host external to your local network in order to access / view services via their respective public IP's, or continue to access them via their defined RFC1918 addresses. One another note, if access via public IP isn't a strict requirement, there is the views functionality in Bind9 that (once set up properly) would allow you to access, say hosted websites, via their WWW addresses from internal hosts .., Regards, Stacey Regards, Smartnet Sverige AB Johannes Angeldorff ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
Hi, I have similar problem. I'm using IPF IPNAT to redirect outbound connection to the internal IP addr. It's been 4 months I can't solve it :( The result so far: The connection was refused (Netscape) Alert! Unable to connect (Lynx) TIA Here is the details IPF.CONF block in log all pass out all pass in on xl1 all pass in on lo all block in log quick on xl0 from 0.0.0.0/32 to any block in log quick on xl0 from 255.255.255.255/32 to any block in log quick on xl0 from 127.0.0.0/8 to any block in log quick on xl0 from any to 0.0.0.0/32 block in log quick on xl0 from any to 255.255.255.255/32 block in log quick on xl0 from any to 127.0.0.0/8 block in log quick on xl0 from 192.168.0.0/16 to any block in log quick on xl0 from 172.16.0.0/12 to any block in log quick on xl0 from 10.0.0.0/8 to any pass in quick on xl0 proto icmp all icmp-type 0 pass in quick on xl0 proto icmp all icmp-type 3 pass in quick on xl0 proto icmp all icmp-type 11 connections to machines block in log on xl0 proto tcp all flags S/SA block in log on xl0 proto tcp all flags SA/SA pass in quick on xl0 proto tcp from any to any port = 5557 flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = 25 flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = 25 flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = 110 flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = 110 flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = 80 flags S/SA keep state pass out on xl0 proto tcp all keep state note 5 block return-rst in on xl0 proto tcp from any to any port = 113 block in log quick on xl1 proto tcp from any to any port = 135 block in log quick on xl1 proto udp from any to any port = 135 block in log quick on xl1 proto udp from any to any port = 137 pass in log quick on xl1 proto udp from 192.168.0.1 to any port = 137 block in log quick on xl1 proto tcp from any to any port = 139 block in log quick on xl1 proto tcp from any to any port = 445 block in log quick on xl1 proto udp from any to any port = 138 pass in on xl0 proto udp from 202.xxx.xxx.xxx port = 53 to any pass in on xl0 proto udp from 202.xxx.xxx.xxx port = 53 to any IPNAT map xl0 192.168.0.0/24 - 202.xxx.xxx.xxx/32 portmap tcp/udp 1025:2 map xl0 192.168.0.0/24 - 202.xxx.xxx.xxx/32 rdr xl0 202.xxx.xxx.xxx/32 port - 192.168.0.89 port 80 tcp RC.CONF ifconfig_xl1=inet 192.168.0.27 netmask 255.255.255.0 ifconfig_xl0=inet 202.xxx.xxx.xxx netmask 255.255.255.240 gateway_enable=YES defaultrouter=202.xxx.xxx.xxx ntpdate_flags=ntp.cyber-fleet.net ntpdate_enable=YES sshd_enable=YES inetd_enable=YES hostname=AROMA.ialf.edu sendmail_enable=YES sendmail_flags=-bd sendmail_outbound_enable=NO sendmail_submit_enable=NO sendmail_msp_queue_enable=NO inetd_flags=-Ww ipfilter_enable=YES ipfilter_rules=/etc/ipf.conf ipnat_rules=/etc/ipnat.conf ipnat_flags=-CF ipmon_enable=YES --- Clement Laforet [EMAIL PROTECTED] wrote: On Thu, 7 Aug 2003 04:33:43 +0200 Clement Laforet [EMAIL PROTECTED] wrote: oups : use this natd_flags=-dynamic -redirect_port 192.168.1.150:80 80 natd_flags=-dynamic -redirect_port tcp 192.168.1.150:80 80 that's better ;) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://uk.messenger.yahoo.com/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
On Wed, 06 Aug 2003 21:28:19 -0700 [EMAIL PROTECTED] wrote: I want to forward port 80 from an outside ip to an internal ip of 192.168.1.150 dc1 is tun0 pppoe / dc0 is lan I have read what seems like 5 diff ways to do this but the only result has been to lock myself out of the computer. What have I missed. rc.conf settings firewall_enable=YES firewall_script=/etc/firewall/fwrules firewall_quiet=YES firewall_logging_enable=YES #log_in_vain=YES tcp_drop_synfin=NO tcp_restrict_rst=NO icmp_drop_redirect=YES natd_enable=YES natd_interface=tun0 natd_flags=-dynamic gateway_enable=YES ppp_enable=YES ppp_mode=ddial ppp_profile=default seems to be good. ipfw show 00050 fwd 192.168.1.150,80 tcp from any to 192.168.1.150 in via tun0 ^^ = BAD use this natd_flags=-dynamic -redirect_port 192.168.1.150:80 80 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
On Wed, 6 Aug 2003 20:55:47 -0500 (CDT) Mark [EMAIL PROTECTED] wrote: I am still unable to connect from the outside, from the kernel config # ipfw options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #To hide firewall from traceroute options IPSTEALTH #To hide from nmap, remove if create web server #options TCP_DROP_SYNFIN ok here my set up (I use pound for web traffic now but it used to work for year) kernel conf : options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT natd.conf : [EMAIL PROTECTED]|(553)| teapop-devel]# ssh charon.cultdeadsheep.org cat /etc/natd.conf log no deny_incoming no port8668 # use_sockets yes # # Avoid port changes if possible. Makes rlogin work # in most cases. # same_ports yes # verbose no interface tun0 unregistered_only yes redirect_port tcp 192.168.0.1:80 80 Now the debugging :) when you try a telnet your external IP 80 you have : 1. Connection refused : natds is'nt running 2. ping timeout : - your firewall is faulty or - your server is down or - your server doesn't have the right gateway ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw / natd does not allow lan traffic to reach external num
Hi! I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here a list with some details: *) The FreeBSD box uses natd and ipfw, and have two external IP:s, lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. *) natd is used to redirect access to external IP addresses and ports to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, where for example webservers are located. *) natd rules: snipped *) ipfw lets things through: snipped Most things works just fine, external access are redirected to correct ports, and the webservers work just fine. BUT the problem comes when a box on the LAN tries to reach a site residing on 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. I don't use ipfw but I encountered the same problem when I first attempted to do the similar setup using ipfilter/ipnat. The problem (at least with ipfilter/ipnat) is that nat does not change the *source* address of packets to that of the machine doing the NAT. So, if you are at machine 192.168.1.10, the internal IP of the NAT box is 192.168.1.1 and you are trying to access a service running on 192.168.1.2 via the external interface of the NAT box, this is what happens: * Your PC sends initial SYN with source=192.168.1.10, target=natbox_external_ip. This packet goes to the natbox, as that is your default gateway. * NAT on natbox translates the target address to 192.168.1.2 and sends the packet there. The source address remains unchanged (192.168.1.10). * 192.168.1.2 sees the packet coming from 192.168.1.10, and - this is where it goes wrong - sends response (SYN+ACK) directly to 192.168.1.10. * since 192.168.1.10 did not initiate session with 192.168.1.2 but with natbox, it doesn't want anything to do with this strange SYN+ACK packet and just drops it. There are several possible solutions recommended for ipfilter, but the one that I myself ended up using was set up netcat on the natbox. Basically (using inetd) you set up netcat to listen on an arbitrary port X and pipe all traffic to the machine:port on your internal net where the actual service is running (such as 192.168.1.2:80). Then you forward all traffic with src=your_internal_net and dst=natbox_external_ip:80 to 127.0.0.1:X. That way the internal server sees packets coming from natbox, sends its responses there, and the natbox in turn sends responses back to the original client. Everybody's happy. As I said I don't use ipfw myself so I can't give you any specific ipfw commands, but I'm sure it all can be done. If only my explanation wasn't too confusing :-) -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * (A)bort, (R)etry, (I)nfluence with large hammer? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
I am still unable to connect from the outside, from the kernel config # ipfw options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #To hide firewall from traceroute options IPSTEALTH #To hide from nmap, remove if create web server #options TCP_DROP_SYNFIN ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw natd forward port 80
I want to forward port 80 from an outside ip to an internal ip of 192.168.1.150 dc1 is tun0 pppoe / dc0 is lan I have read what seems like 5 diff ways to do this but the only result has been to lock myself out of the computer. What have I missed. rc.conf settings firewall_enable=YES firewall_script=/etc/firewall/fwrules firewall_quiet=YES firewall_logging_enable=YES #log_in_vain=YES tcp_drop_synfin=NO tcp_restrict_rst=NO icmp_drop_redirect=YES natd_enable=YES natd_interface=tun0 natd_flags=-dynamic gateway_enable=YES ppp_enable=YES ppp_mode=ddial ppp_profile=default ipfw show 00050 fwd 192.168.1.150,80 tcp from any to 192.168.1.150 in via tun0 00100 divert 8668 ip from any to any via tun0 00200 allow ip from any to any via lo0 00300 allow ip from any to any via dc0 00400 allow tcp from any to any out xmit tun0 setup 00500 allow tcp from any to any via tun0 established 00600 allow tcp from any to any dst-port 25 setup 00800 allow tcp from any to any dst-port 22 setup 01000 allow udp from any to x.x.x.x dst-port 53 out xmit tun0 01100 allow udp from x.x.x.x 53 to any in recv tun0 01200 allow icmp from any to any 01300 deny log ip from any to any 65535 allow ip from any to any from httpd.conf Listen 192.168.1.150:80 ServerName my.lameass.com:80 (( changed to protect me from my ignorance =) )) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
On Thu, 7 Aug 2003 04:33:43 +0200 Clement Laforet [EMAIL PROTECTED] wrote: oups : use this natd_flags=-dynamic -redirect_port 192.168.1.150:80 80 natd_flags=-dynamic -redirect_port tcp 192.168.1.150:80 80 that's better ;) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routingquestion
I could sure use an idea for solving the following. We have a perfectly functional but saturated ds0 with our telco that is very expensive. We have squid running with transparent proxy for our LAN that consists of about 10-15 users. [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 ] It works fine but still not enough bandwidth so we contracted a connection with a cable company that we plan to use for all outgoing requests for port 80 from squid. The problem is that I can't get the outgoing requests from squid to use the nic that is connected to the cable company. Squid is setup to use the Cable companies IP tcp_outgoing_address 10.24.194.163 but since the default gateway is to the telco interface, the request is sent to the telco. I'm not sure how to make this work. Our three nic's are set up as follows rl1 192.168.5.0/24 --- Internal Network \ \rl0 [TelCo] -- 200.79.x.0/28--- INTERNET /natd-ipfw-squid rl2 / routing: default 200.79.x.1 10.24.194.163/20 --- Cable Network Our firewall configuration has been reduced to the following until we can get this to work. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 65100 divert 8668 ip from any to any via rl0 65500 allow ip from any to any 65535 allow ip from any to any Everything works great with rl1 - rl0 but rl2 is basically useless. I have tried many different approaches and none have worked. I'm probably complicating it too much. Any help or suggestions will be appreciated. Ed -- - ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routingquestion
On Mon, Aug 04, 2003 at 06:24:42AM -0700, [EMAIL PROTECTED] wrote: I could sure use an idea for solving the following. We have a perfectly functional but saturated ds0 with our telco that is very expensive. We have squid running with transparent proxy for our LAN that consists of about 10-15 users. [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 ] It works fine but still not enough bandwidth so we contracted a connection with a cable company that we plan to use for all outgoing requests for port 80 from squid. The problem is that I can't get the outgoing requests from squid to use the nic that is connected to the cable company. Squid is setup to use the Cable companies IP tcp_outgoing_address 10.24.194.163 but since the default gateway is to the telco interface, the request is sent to the telco. I'm not sure how to make this work. Our three nic's are set up as follows rl1 192.168.5.0/24 --- Internal Network \ \rl0 [TelCo] -- 200.79.x.0/28--- INTERNET /natd-ipfw-squid rl2 / routing: default 200.79.x.1 10.24.194.163/20 --- Cable Network Our firewall configuration has been reduced to the following until we can get this to work. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 65100 divert 8668 ip from any to any via rl0 65500 allow ip from any to any 65535 allow ip from any to any Everything works great with rl1 - rl0 but rl2 is basically useless. I have tried many different approaches and none have worked. I'm probably complicating it too much. Any help or suggestions will be appreciated. This sounds to me like a policy based routing problem -- googling for policy based routing FreeBSD in Google Groups should prove informative. However, the mechanism is basically the same as you've used to implement your transparent proxy. All you need to do is insert another rule to trap the port 80 traffic coming out of Squid and send the packets to the next-hop gateway on your rl2 interface. That presumably has it's default route set via the cable network. Something like: 00500 fwd 10.24.207.254 tcp from me to any 80 (assuming that 10.24.207.254 is the router address in the cable companies' network.) Since your Squid is already using a Cable Co. address as the source address on any outgoing packets this should cause all in- and out-going HTTP traffic to pass via the Cable Co. network. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
IPFW + NATD
Hi, I have two networks: 10.1.0.0/16 and 10.2.0.0/16 Only that I need to make the NAT for only a one network, 10.2.0.0/16. Network 10,1,0,0/16 does not have external access. How I configure in ipfw + natd so that this is possible? My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and interface of network 10.2.0.0/16 is xl2. As I configure in ipfw using natd to make nat only for net 10.2.0.0/16. Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW + NATD
- Original Message - From: Vitor de Matos Carvalho [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 7:18 AM Subject: IPFW + NATD Hi, I have two networks: 10.1.0.0/16 and 10.2.0.0/16 Only that I need to make the NAT for only a one network, 10.2.0.0/16. Network 10,1,0,0/16 does not have external access. How I configure in ipfw + natd so that this is possible? My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and interface of network 10.2.0.0/16 is xl2. As I configure in ipfw using natd to make nat only for net 10.2.0.0/16. Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse I would think it would be something like this: # Divert all outbound traffic through nat # ipfw add 1 divert natd all from any to any via xl0 # ### Allow traffic from to internal networks # ipfw add 2 allow ip from 10,1,0,0/16 to 10.2.0.0/16 ipfw add 2 allow ip from 10.2.0.0/16 to 10.1.0.0/16 # ### Deny 10.1.0.0/16 traffic to anyone else # ipfw add 4 deny ip from 10.1.0.0/16 to any # ### Rest of firewall rules # -- Micheal Patterson Network Administration Cancer Care Network 405-733-2230 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW + NATD
Thanks for help. My net 10.1.0.0/16 cannot se net 10.2.0.0/16. E mine firewall the last rule of my kernel is: deny ip from any to any Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse - Original Message - From: Micheal Patterson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 1:53 PM Subject: Re: IPFW + NATD - Original Message - From: Vitor de Matos Carvalho [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 7:18 AM Subject: IPFW + NATD Hi, I have two networks: 10.1.0.0/16 and 10.2.0.0/16 Only that I need to make the NAT for only a one network, 10.2.0.0/16. Network 10,1,0,0/16 does not have external access. How I configure in ipfw + natd so that this is possible? My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and interface of network 10.2.0.0/16 is xl2. As I configure in ipfw using natd to make nat only for net 10.2.0.0/16. Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse I would think it would be something like this: # Divert all outbound traffic through nat # ipfw add 1 divert natd all from any to any via xl0 # ### Allow traffic from to internal networks # ipfw add 2 allow ip from 10,1,0,0/16 to 10.2.0.0/16 ipfw add 2 allow ip from 10.2.0.0/16 to 10.1.0.0/16 # ### Deny 10.1.0.0/16 traffic to anyone else # ipfw add 4 deny ip from 10.1.0.0/16 to any # ### Rest of firewall rules # -- Micheal Patterson Network Administration Cancer Care Network 405-733-2230 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw/natd/divert question
I'd like to come up a ruleset that handles the following example. Suppose I have a daemon listeing on port 2000 and I'd like outside clients to be able to communicate with the daemon by addressing traffic to port 2000 or port 2001. So, suppose I have for my natd configuration: -redirect_port tcp 1.2.3.4:2000 1.2.3.4:2001 And then in my ipfw ruleset, if I use: add 100 divert natd tcp from any to 1.2.3.4 2001 in via rl0 add 101 divert natd tcp from 1.2.3.4 2000 to any out via rl0 It seems that traffic coming in normally to 1.2.3.4:2000 would enter fine. And traffic coming into 1.2.3.4:2001 would be diverted to natd which would rewrite the destination port as 1.2.3.4:2000. So far so good. But my concern is with the 101 ipfw rule...wouldn't it always rewrite traffic leaving from 1.2.3.4:2000 as 1.2.3.4:2001? In which case is there a way to distinguish the outbound divert to only take place if the traffic was initially diverted on the way in...some sort of divert keep-state? Thanks for any help or explanations. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW NATD access www server by name from the LAN side ?
FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN. DNS,Bind is not running here. www Public address is redirected to it's DMZ address. The www server in the DMZ can be accessed by name from the Internet but only by it's private DMZ IP address from the LAN side. Attempt to access it by name from the LAN results in a 'page not found'. When attempting to access the www by name from the LAN side tcpdump shows traffic getting to the firewall but not redirected out DMZ nic. So it's the firewall answering with the 'page not found'. How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. __ Get your FREE personalized e-mail at http://www.canada.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW NATD access www server by name from the LAN side ?
FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN. DNS,Bind is not running here. www Public address is redirected to it's DMZ address. The www server in the DMZ can be accessed by name from the Internet but only by it's private DMZ IP address from the LAN side. Attempt to access it by name from the LAN results in a 'page not found'. When attempting to access the www by name from the LAN side tcpdump shows traffic getting to the firewall but not redirected out DMZ nic. So it's the firewall answering with the 'page not found'. Well, actually your web browser is saying that... because it can't find the page. How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. This is in the howto I followed (but I don't remember how)... there's about 5 good ones that can be found via google. Basically, you need to add a rdr rule to natd, if I remember correctly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW NATD access www server by name from the LAN side ?
On Sat, 29 Mar 2003 14:50:22 -0800 (PST), Charlie Schluting wrote: FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN. DNS,Bind is not running here. www Public address is redirected to it's DMZ address. The www server in the DMZ can be accessed by name from the Internet but only by it's private DMZ IP address from the LAN side. Attempt to access it by name from the LAN results in a 'page not found'. When attempting to access the www by name from the LAN side tcpdump shows traffic getting to the firewall but not redirected out DMZ nic. So it's the firewall answering with the 'page not found'. Well, actually your web browser is saying that... because it can't find the page. How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. This is in the howto I followed (but I don't remember how)... there's about 5 good ones that can be found via google. Basically, you need to add a rdr rule to natd, if I remember correctly. Thanks, I've spent some time google(ing) but haven't hit anything, if anyone has some links it would be most appreciated. __ Get your FREE personalized e-mail at http://www.canada.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW NATD access www server by name from the LAN side ?
On Sat, Mar 29, 2003 at 03:11:09PM -0800, [EMAIL PROTECTED] wrote: [...] How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. This is in the howto I followed (but I don't remember how)... there's about 5 good ones that can be found via google. Basically, you need to add a rdr rule to natd, if I remember correctly. Thanks, I've spent some time google(ing) but haven't hit anything, if anyone has some links it would be most appreciated. The most common solution is to run an internal DNS (which everyone on the inside uses) which maps the name to the internal address. If you run an authoritative DNS for your domain, the DNS which serves outside queries need to be separate from the one that handles internal queries. Alternatively, you can use BIND9's views feature to do the same thing as these 2 DNS servers. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. -- RFC 1925 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
different ipfw/natd prob
i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. stephen To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled is this a clue that i need to rebuild kernel? stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES tcp_extensions=YES named_enable=YES sendmail_enable=NO portmap_enable=YES router_enable=yes router=/sbin/routed router_flags=-q defaultrouter=68.abc.de.1 hostname=www.kingrea.com network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP ifconfig_fxp0=inet 192.168.2.1 netmask 255.255.255.0 firewall_enable=YES firewall_type=OPEN gateway_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
Here's what I did that worked for me on FreeBSD 4.5-RELEASE Maybe this will help you some. Kernel recompile options I added: options IPFIREWALL # I added for firewall options IPFIREWALL_DEFAULT_TO_ACCEPT# I added for firewall options IPFIREWALL_VERBOSE # I added for firewall options IPFIREWALL_VERBOSE_LIMIT=10 # I added for firewall options IPFIREWALL_DEFAULT_TO_ACCEPT# I added for firewall options IPFIREWALL_FORWARD # I added for firewall options IPDIVERT# I added for natd ipfw rules: /sbin/ipfw add 100 pass all from 127.0.0.1 to 127.0.0.1 /sbin/ipfw add 200 divert natd all from any to any via rl0 ifconfig: xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::201:2ff:fee8:2298%xl0 prefixlen 64 scopeid 0x1 ether 00:01:02:e8:22:98 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 24.xx.xxx.61 netmask 0xfe00 broadcast 24..xxx.255 inet6 fe80::250:bfff:fe51:5503%rl0 prefixlen 64 scopeid 0x2 ether 00:50:bf:51:55:03 media: Ethernet autoselect (100baseTX full-duplex) status: active rc.conf: gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.cf hostname=mygatewayhost ifconfig_rl0=inet 24.121.16.61 netmask 255.255.254.0 ifconfig_xl0=inet 192.168.0.1 netmask 255.255.255.0 WillyB [EMAIL PROTECTED] wrote: following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES tcp_extensions=YES named_enable=YES sendmail_enable=NO portmap_enable=YES router_enable=yes router=/sbin/routed router_flags=-q defaultrouter=68.abc.de.1 hostname=www.kingrea.com network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP ifconfig_fxp0=inet 192.168.2.1 netmask 255.255.255.0 firewall_enable=YES firewall_type=OPEN gateway_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: different ipfw/natd prob
Do you really have named Domain server configured? If not remove named_enable=YES If you really do not want sendmail it should be sendmail_enable=NONE From your description I see no reason for any of the router_ options You don't need this either network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 Your rule set is missing the divert rule to send all packets to ipfw's built in nat function inferface module. allow ip from any to any via lo0 divert natd all from any to any via dc0 add this rule allow all ip from any to any deny ip from any to any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen D. Kingrea Sent: Friday, January 17, 2003 8:53 AM To: Bill Moran Cc: [EMAIL PROTECTED] Subject: Re: different ipfw/natd prob following is rc.conf, /etc/natd.conf, ifconfig, ipfw show rc.conf inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES tcp_extensions=YES named_enable=YES sendmail_enable=NO portmap_enable=YES router_enable=yes router=/sbin/routed router_flags=-q defaultrouter=68.abc.de.1 hostname=www.kingrea.com network_interfaces=lo0 fxp0 dc0 ifconfig_lo0=inet 127.0.0.1 ifconfig_dc0=inet 68.abc.de.14 netmask 255.255.255.0 media 10baseT/UTP ifconfig_fxp0=inet 192.168.2.1 netmask 255.255.255.0 firewall_enable=YES firewall_type=OPEN gateway_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf natd.conf interface dc0 use_sockets yes same_ports yes ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 68.abc.de.14 netmask 0xff00 broadcast 68.abc.de.255 inet6 fe80::204:5aff:fe5a:9987%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:5a:99:87 media: Ethernet 10baseT/UTP status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::2a0:c9ff:fe5c:3738%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:5c:37:38 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 4208345040 all ip from any to any 65535 0 0 deny ip from any to any thanks for assistance! stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: i have a slightly different ipfw/natd problem. machines on the lan can ping internal nic on the server (fbsd 4.7), and the external nic, but can not ping or reach anything outside. unless i telnet into the server, then telnet out. currently running ipfw open until problem is solved. server can ping all machines on lan. On a wild guess, it sounds like your divert rule is wrong. Need more information to help with this. Please repost to the list and include the following: The output of 'ipfw show' The output of 'ifconfig' The contents of your rc.conf file -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
Stephen D. Kingrea wrote: oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Sounds like you need to recompile your kernel with IPDIVERT (as someone else pointed out) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: different ipfw/natd prob
i agree. it does seem that i need to recompile: www# ipfw add diver natd all from any to any via dc0 ip_fw_ctl: invalid command ipfw: getsockopt(IP_FW_ADD): Invalid argument would seem to indicate this.. i shall commence, as per yours and JoeB's suggestion and report back thank you both stephen d. kingrea On Fri, 17 Jan 2003, Bill Moran wrote: Stephen D. Kingrea wrote: oh, this looks bad before i do that, i should mention that in the meantime, i tried to add a divert rule and got ip_fw_ctl: invalid command on boot, i get IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Sounds like you need to recompile your kernel with IPDIVERT (as someone else pointed out) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw/natd questions
On Wed, 15 Jan 2003 19:08:08 -0600 Redmond Militante [EMAIL PROTECTED] wrote: [...] at the moment, it's not working. on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup failure', i can't ping xl0 - external nic on machine 1 - ping 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's own static ip successfully - ping 129.x.x.20 works machine 2 can ping its own hostname successfully - ping machine2.hostname.com works sorry if this is long, i've been messing with this all day and i think i'm doing it right. can you guys tell if i'm missing something obvious? What about your /etc/resolv.conf? On both machines? Did you insert the namserver of your ISP? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw/natd questions
- i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on machine 1 - to machine 2's nic. i've edited machine 2's /etc/rc.conf so that it points to the internal nic - xl1 on machine 1 as it's default gateway: Ethernet cable? Or crossover cable? If it's straight cable, you need another hub and cable.. or a crossover cable instead. snip defaultrouter=10.20.155.1 hostname=machine2.hostname.com ifconfig_xl0=inet 129.x.x.20 netmask 255.255.255.0 snip On another note, if I read that correctly.. you connected a nic that is configured with IP of 129.x.x.x to a nic with an IP of 10.x.x.x. You would more than likely want the nic on machine2 to be on the 10.x.x.x subnet for this configuration. Afterwards, you should at least be able to ping your internal interface on machine1 from machine2 (It looks like you're allowing it in your IPFW rules...). Once you can ping.. (or begin to see traffic on the internal interface in the logs for IPFW), you can start troubleshooting the IPFW rules, if necessary. HTH, John To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
another go at ipfw/natd
hi again i have two machines - one has two nics, one has one nic. i'd like to set up the machine with two nics as a gateway/natd box, and place the second machine behind it. gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway machine's /etc/rc.conf: defaultrouter=129.x.x.1 hostname=enquirer.medill.northwestern.edu ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0 ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0 gateway_enable=YES firewall_enable=YES #firewall_script=/etc/rc.firewall firewall_type=OPEN natd_enable=YES natd_interface=xl0 natd_flags= second machine's /etc/rc.conf: defaultrouter=10.0.0.1 ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0 'ipfw list' on the gateway machine gives me: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any i'm following the instructions in the handbook http://www.freebsd.org/doc/en_US.IS...dbook/natd.html Each machine and interface behind the LAN should be assigned IP address numbers in the private network space as defined by RFC 1918 and have a default gateway of the natd machine's internal IP address. this isn't working for me. i cannot ping outside machines from the client machine. 'ping www.freebsd.org' times out. pinging the ip address outside the router gives me 'no route to host', pinging the ip address of the gateway box gives me 'no route to host'. 'ping 10.0.0.1' gives me 'host is down'. the client machine can ping itself and get a response, however - 'ping 10.0.0.2' gives me a response. please help, i'm stuck. msg15692/pgp0.pgp Description: PGP signature
Re: another go at ipfw/natd
Redmond Militante wrote: hi again i have two machines - one has two nics, one has one nic. i'd like to set up the machine with two nics as a gateway/natd box, and place the second machine behind it. gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway machine's /etc/rc.conf: defaultrouter=129.x.x.1 hostname=enquirer.medill.northwestern.edu ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0 ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0 gateway_enable=YES firewall_enable=YES #firewall_script=/etc/rc.firewall firewall_type=OPEN natd_enable=YES natd_interface=xl0 natd_flags= second machine's /etc/rc.conf: defaultrouter=10.0.0.1 ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0 'ipfw list' on the gateway machine gives me: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any i'm following the instructions in the handbook http://www.freebsd.org/doc/en_US.IS...dbook/natd.html Each machine and interface behind the LAN should be assigned IP address numbers in the private network space as defined by RFC 1918 and have a default gateway of the natd machine's internal IP address. this isn't working for me. i cannot ping outside machines from the client machine. 'ping www.freebsd.org' times out. pinging the ip address outside the router gives me 'no route to host', pinging the ip address of the gateway box gives me 'no route to host'. 'ping 10.0.0.1' gives me 'host is down'. the client machine can ping itself and get a response, however - 'ping 10.0.0.2' gives me a response. Let me ask some questions to help diagnose this: 1. From the gateway: Can you ping www.freebsd.org? Can you ping 129.x.x.1? 2. What's in /etc/resolv.conf on the gateway and the client machine? 3. What does ifconfig display on the gateway? Does xl1 show as up with a valid media type? Do your net card and hub both have link lights? -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: another go at ipfw/natd
Let me ask some questions to help diagnose this: 1. From the gateway: Can you ping www.freebsd.org? Can you ping 129.x.x.1? yes to both 2. What's in /etc/resolv.conf on the gateway and the client machine? /etc/resolv.conf is identical on gateway and client machines search northwestern.edu nameserver 129.105.49.1 nameserver 165.124.49.21 ~ 3. What does ifconfig display on the gateway? Does xl1 show as up with a valid media type? xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 129.105.51.35 netmask 0xff00 broadcast 129.105.51.255 inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 ether 00:10:5a:c6:8b:cb media: Ethernet autoselect (100baseTX full-duplex) status: active xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier (ifconfig has changed slightly here - i was experimenting by giving xl1 a subnet mask of 255.255.255.0 - still doesn't work) Do your net card and hub both have link lights? i i am hooking the client directly into the internal nic on the gateway, so no hub. i've verified that both nics on the gateway work - did this by configuring xl1 as the primary nic, and it worked. thanks redmond -- Bill Moran Potential Technologies http://www.potentialtech.com msg15695/pgp0.pgp Description: PGP signature
Re: another go at ipfw/natd
Redmond Militante wrote: xl1: flags=3D8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3D3rxcsum,txcsum inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2=20 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier ^^ This is your problem. Do your net card and hub both have link lights? i i am hooking the client directly into the internal nic on the gateway, so n= o hub. i've verified that both nics on the gateway work - did this by conf= iguring xl1 as the primary nic, and it worked. You can't do this. You _must_ use a crossover cable to connect 2 NICs directly together. You need to use a hub or switch to use straight-through ethernet cables. .daniel.schrock To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: another go at ipfw/natd
Redmond Militante wrote: snip reply that verifies that DNS is configured properly 3. What does ifconfig display on the gateway? Does xl1 show as up with a valid media type? SNIP xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier Notice the 'autoselect (none)' and 'status: no carrier' These are indicative of faulty wiring or NIC problems. Since you state that you tested the NICs, I would double check the wiring. If you're going directly NIC-NIC, you'll need a crossover cable. Make sure that the cable you're using is a crossover and is properly wired. If so, verify that the cable is good (usually easiest to try a different cable, unless you have the pricey testing stuff). It looks like everything else is OK, I'm guessing that once you've got the cable situation worked out, everything will start working. i am hooking the client directly into the internal nic on the gateway, so no hub. i've verified that both nics on the gateway work - did this by configuring xl1 as the primary nic, and it worked. Do the NICs have link lights on the back? Most NICs do. I'm guessing that they're dark, indicating that it can't negiotiate a link. Although I've seen some NICs that will turn the link light on even if things are wired wrong (which is really frustrating when you're trying to diagnose problems!) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: another go at ipfw/natd
hi thanks this worked :) In the gothic chambers of the underworld on Thu, Jan 16, 2003 at 03:51:55PM -0600, Daniel Schrock darkly muttered: Redmond Militante wrote: xl1: flags=3D8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3D3rxcsum,txcsum inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2=20 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier ^^ This is your problem. Do your net card and hub both have link lights? i i am hooking the client directly into the internal nic on the gateway, so n= o hub. i've verified that both nics on the gateway work - did this by conf= iguring xl1 as the primary nic, and it worked. You can't do this. You _must_ use a crossover cable to connect 2 NICs directly together. You need to use a hub or switch to use straight-through ethernet cables. .daniel.schrock To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message msg15703/pgp0.pgp Description: PGP signature
ipfw/natd questions
now i'm trying to set up a gateway box using ipfw/natd. i have 2 test machines - machine 1 has two nics, one's an integrated intel 1000 pro, the other is an old pci 3com 3c905b. machine 1 has a static ip and hostname. machine 2 is virtually identical except it has only one nic - the intel 1000 pro integrated. machine 2 also has a static ip and hostname. i'd like machine 1 to act as a gateway/packet filtering firewall/natd box. i'd like to hook up machine 2 to the internal network interface card of machine 1 and be able to filter/log/divert packets bound for machine 2 through ipfw/natd on machine 1. i've been basically following the instructions at http://www.mostgraveconcern.com/freebsd/ for 'setting up a dual-homed host' - on machine 1, ifconfig returns xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 129.x.x.35 netmask 0xff00 broadcast 129.x.x.255 inet6 fe80::210:5aff:fec6:8bcb%xl0 prefixlen 64 scopeid 0x1 ether 00:10:5a:c6:8b:cb media: Ethernet autoselect (100baseTX full-duplex ) status: active xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 10.20.155.1 netmask 0xff00 broadcast 10.20.155.255 inet6 fe80::206:5bff:fe80:985b%xl1 prefixlen 64 scopeid 0x2 ether 00:06:5b:80:98:5b media: Ethernet autoselect (none) status: no carrier i'd like xl0 to be my external nic, and xl1 to be my internal nic -on machine 1, my /etc/rc.conf reads ifconfig_xl0=inet 129.x.x.35 netmask 255.255.255.0 ifconfig_xl1=inet 10.20.155.1 netmask 255.255.255.0 gateway_enable=YES #required for ipfw support firewall_enable=YES firewall_script=/etc/rc.ipfw firewall_type=open firewall_quiet=NO #change to yes once happy with rules firewall_logging_enable=YES #extra firewalling options log_in_vain=YES tcp_drop_synfin=YES icmp_drop_redirect=YES natd_program=/sbin/natd natd_enable=YES natd_interface=xl0 natd_flags=-f /etc/natd.conf - machine 1's kernel has been recompiled with the following options #to enable ipfirewall with default to deny all packets options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 #to hide the firewall from traceroute options IPSTEALTH options IPDIVERT #to hide from nmap options TCP_DROP_SYNFIN - machine's firewall_script, /etc/rc.ipfw, is taken from the tutorial mostly verbatim, the only part of it i changed was # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n ${1} ]; then firewall_type=${1} fi # Firewall program fwcmd=/sbin/ipfw # Outside interface network and netmask and ip oif=xl0 onet=129.x.x.1 omask=255.255.255.0 oip=129.x.x.35 # Inside interface network and netmask and ip iif=xl1 inet=10.20.155.0 imask=255.255.255.0 iip=10.20.155.1 # My ISP's DNS servers dns1=129.x.x.1 dns2=165.x.x.21 # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from
Re: IPFW + NATD with redirect_port
I want to redirect incoming ssh packet to another box internally. I have got the following as my /etc/natd.conf dynamic yes log_denied yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 192.168.0.200:22 4455 When I try to ssh to port 4455 I get nothing - I have ipfw running - do I need any specific rules to get this working. I have tried ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup but it doesn't seem to work. Gordon, Your natd setup looks OK to me. I'm wondering whether your ipfw isn't blocking connection attempts. Do you have a rule that allows tcp connections to port 4455? And another to allow connections from NAT box to ssh box on port 22? And when you try to connect to port 4455 on your NAT box, you do it from the exterior, right? Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW + NATD with redirect_port
Hi I want to redirect incoming ssh packet to another box internally. I have got the following as my /etc/natd.conf dynamic yes log_denied yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 192.168.0.200:22 4455 When I try to ssh to port 4455 I get nothing - I have ipfw running - do I need any specific rules to get this working. I have tried ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup but it doesn't seem to work. Thanks all Gordon To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW, natd, redirect_address help needed
Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett Network and Information Services Multnomah Education Service District phn: 503-257-1535 fax: 503-257-1538 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett Network and Information Services Multnomah Education Service District phn: 503-257-1535 fax: 503-257-1538 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
well you could simply do an ipfw flush and then use ipfw command line to add back the rule for the loopback device and the natd divert line (looks like your using natd?), then do a: ipfw add pass all from any to any and make sure that you can send and recive traffic in both directions without any deny firewall rules in place. If you want to test with the current rules in place, you may want to add a line to log all connections, if you have the disk space for it and then tail -f your security log and see what packets are getting denied/accepted and why. David Terrac Skiens wrote: since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW/NATD
The answer to this is more than likely 'no'. But I'll try anyways. Setup: NATD/IPFW Say you have an IPFW rule to allow 10.0.0.2 through NATD - thus into the internet - and everything else to be blocked. Your machine (10.0.0.2) that is being firewalled by NATD/IPFW works fine. Then someone else sets their machine up to 10.0.0.2, and now they can also get out into the network (there will of course be an ip conflict). My question is, for security, is there any way to use this type of block based on MAC ID. Almost to bond the MAC ID to the IP Address so the only computer that can use the IP address 10.0.0.2 is with MAC ID whatever? Thanks, Scott To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW/NATD
On Tue, Oct 22, 2002 at 10:55:26AM -0500, Scott Pilz typed: The answer to this is more than likely 'no'. But I'll try anyways. Setup: NATD/IPFW Say you have an IPFW rule to allow 10.0.0.2 through NATD - thus into the internet - and everything else to be blocked. Your machine (10.0.0.2) that is being firewalled by NATD/IPFW works fine. Then someone else sets their machine up to 10.0.0.2, and now they can also get out into the network (there will of course be an ip conflict). You can use arp(8) to make a permanent entry in the arp table on your NAT/Firewall box to prevent anyone else to use this IP address: arp -S 10.0.0.2 Your_machines_MAC My question is, for security, is there any way to use this type of block based on MAC ID. Almost to bond the MAC ID to the IP Address so the only computer that can use the IP address 10.0.0.2 is with MAC ID whatever? Thanks, Scott To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
ipfw, natd, and keep-state - unexpected dynamic rules generated
hi everybody, i have a fbsd 4.6 router box sitting between a local net (192.168.0.255) and a single actual ip from a cable modem. naturally, ive set up natd and ipfw on it, but instead of going the old way with the semi-stateful rules i decided to go with keep-state/check-state. but problems arise with outgoing ssh connections. here is the relevant portion of my ipfw rules: #set up NAT ${fwcmd} add 00050 divert natd all from any to any via ${oif} # Allow the packet through if it has previous been added to the # the dynamic rules table by an allow keep-state statement. $fwcmd add 00200 check-state # Run all private LAN $iif packet traffic through the dynamic rules # table so the IP addresses are in sync with Natd. $fwcmd add 00220 allow all from any to any via $iif keep-state # Deny all fragments as bogus packets $fwcmd add 00240 deny log all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $fwcmd add 00260 deny log tcp from any to any established in via $oif # Allow out ssh connections $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state seems like this should work, right? initiating an ssh connection with an external host, and checking the dynamic rules (ipfw -ad list), the following two rules are generated: 00220 84 12080 (T 599, slot 109) - tcp, 192.168.0.10 3106- {external host ip} 22 00640 26 2130 (T 19, slot 166) - tcp, {my external ip} 3106- {external host ip} 22 the rule for my external ip, though, only gets the lifetime value from the syn_lifetime sysctl var, which is 20 seconds, and only the first rule apparently gets the acks through it and gets a 600sec lifetime that is set in ack_lifetime. any other packets sent through teh connections reset the lifetime of the above two rules to 600 and 20 again. this would not trouble me otherwise, but as soon as the second rule (20 sec) expires, the ssh connection dies. when i remove the word setup from rule 640, though, ssh connection does not die. the same two dynamic rules are created, with the same lifetimes, but when the short-lived rule expires the connection is still there, upon sending any data through it the short-lived rule does not get recreated. i am kinda stumped here. any ideas? whats wrong with my rules? any help would be appreciated. i've posted this to -security before, but have not gotten an authoritative answer as to the reason this is happening, and i guess if same happens here i will post on -ipfw. and yes, i _have_ been advised to switch to ipnat/ipfilter, but thats cheating :). for that matter, so is removing setup from the above rule 640. thank you all in advance. -- dfolkins To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: ipfw, natd tun0
Is PPP trying to do NAT as well as Natd? I use Natd with tun0 all the time and it works OK.. -D :-Original Message- :From: Allan McDonald [mailto:[EMAIL PROTECTED]] :Sent: Tuesday, July 16, 2002 8:45 AM :To: [EMAIL PROTECTED] :Subject: ipfw, natd tun0 : : :Hi, :I'm trying to use natd with port redirection and it's not working.. : :I have a working model, a box with 2 network cards in it, in :which natd port :redirection is working just fine.. :and I have another which I am trying to do the same thing, :however this poor :box has to connect to the internet via ppp. Now the internet :connection is :working fine. : :My query is.. should natd support port redirection over the :tun0 interface? : :I do have options IPDIVERT compiled.. same format config files :(natd.conf :/etc/rc.conf) on both boxes. :Both boxes running FreeBSD 4.5 : :Anyone had this problem before?? : : :Regards, : :Allan McDonald :IT Manager :Ozdaq Securities Pty Ltd : : : : :To Unsubscribe: send mail to [EMAIL PROTECTED] :with unsubscribe freebsd-questions in the body of the message : - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message