Problems after IP change

Steve Bertrand iaccounts at ibctech.ca
Wed Jul 28 08:06:07 PDT 2004 

> On Wednesday 28 July 2004 14:49, Steve Bertrand wrote:
>> >> Also, post the relevant ``natd'' line entries in your /etc/natd.conf
>> >> file.
>> >
>> > natd.conf doesn't exist. Do you mean rc.conf? Here it is:
>> > natd_interface="rl0"
>> > natd_enable="YES"
>> >
>> > But I didn't change anything here, and it always worked.
>>
>> Indeed, I did mean rc.conf...sorry ;o)
>>
>> Now would be a good time to post your fw ruleset.
>
> add 00300 divert 8668 ip from any to any
> add 01300 unreach port tcp from any to any 6699
> add 01400 allow log all from any to any via lo0
> add 01600 check-state

Well, I would hate to do this, but for testing purposes, add a rule (very
briefly)...

> add 00300 divert 8668 ip from any to any
> add 01300 unreach port tcp from any to any 6699
> add 01400 allow log all from any to any via lo0
add 1500 allow log logamount 1000 all from any to any

and check to see if things are working. Your security log file may
indicate where traffic is going whether it is or not.

Also, I know you haven't changed anything, but what does the output from
this command state?:

# sysctl net.inet.ip.forwarding

Steve

>
> add 01700 allow log logamount 1000 tcp from any to me 22 in setup
> keep-state
> add 01701 allow log logamount 1000 tcp from me 22 to any out
> add 01702 allow log logamount 1000 tcp from any to me 21 in setup
> keep-state
> add 01703 allow log logamount 1000 tcp from me 21 to any out
>
> add 01900 deny log tcp from any to any in established
>
> add 11700 allow tcp from any to any out setup keep-state
> add 11701 allow udp from 212.33.32.160 53 to any in recv rl0
> add 11702 allow udp from any to 212.33.32.160 53
> add 11703 allow udp from 212.33.55.5 53 to any in recv rl0
> add 11704 allow udp from any to 212.33.55.5 53
> add 11705 allow udp from 212.0.0.0/8 67 to 255.255.255.255 68 in recv rl0
>
> add 11801 allow icmp from any to any icmptypes 3
> add 11802 allow icmp from any to any icmptypes 4
> add 11803 allow icmp from any to any icmptypes 8 out
> add 11804 allow icmp from any to any icmptypes 0 in
> add 11805 allow icmp from any to any icmptypes 9 out
> add 11806 allow log icmp from any to any icmptypes 11 in
> add 11807 allow log icmp from any to any icmptypes 11 out
>
> add 11900 allow icmp from me to 224.0.0.1 icmptypes 9 in via rl0
> add 11901 allow icmp from 10.0.0.1 to 224.0.0.1 icmptypes 9 in via rl1
> add 11902 allow all from me to 224.0.0.2/24 out via rl0
> add 11903 allow all from 10.0.0.1 to 224.0.0.2/24 out via rl1
> add 11904 allow udp from me 520 to 81.10.248.255 520 out via rl0
> add 11905 allow udp from me 520 to 81.10.248.255 520 in via rl0
> add 11906 allow udp from 10.0.0.1 520 to 10.255.255.255 520 in via rl1
> add 11907 allow udp from 10.0.0.1 520 to 10.255.255.255 520 out via rl1
> add 11908 allow udp from me 520 to 10.255.255.255 520 out via rl1
> add 11909 allow udp from me 520 to 10.255.255.255 520 in via rl1
> add 11910 allow ip from any to 224.0.0.9/24 in via rl0
>
>
> add 20000 allow all from 10.0.0.0/24 to any in recv rl1
> add 20001 allow all from any to 10.0.0.0/24 out xmit rl1 keep-state
> add 20002 count log all from 10.0.0.0/24 to any
> add 20003 count log all from any to 10.0.0.0/24
>
>
> add 65534 deny log ip from any to any
>
>

More information about the freebsd-questions mailing list