natd not doing anything

[Micheal Patterson]

----- Original Message ----- 
From: "Alex de Kruijff" <freebsd at akruijff.dds.nl>
To: <sysadmin at ridley.unimelb.edu.au>
Cc: <r.dridan at ridley.unimelb.edu.au>; <freebsd-questions at freebsd.org>
Sent: Wednesday, September 29, 2004 10:05 AM
Subject: Re: natd not doing anything


> I changed the list from current@ to questions@, since you question is
> not only for CURRENT.
>
> On Tue, Sep 28, 2004 at 09:11:39PM +1000, Rebecca Dridan wrote:
> > Hi all:
> >
> > I am having some issues with network set-up. I'm running CURRENT as of
> > 26th September, with an ipfw firewall and natd. I have one gateway
> > machine with one external NIC and 3 internal NICs. At present nothing
from
> > my internal machines can get out. I've reduced the firewall
(temporarily) to
> > a basic
> > ipfw -f flush
> > divert natd ip from any to any via fxp0
> > allow ip from any to any
> >
> > When I turn logging on, I see the packets being diverted, and then
> > accepted by later rules, but not being rewritten in between, ie
> >
> > ipfw: 30 Divert 8668 TCP 192.168.7.2:54619 <remote IP>:1025 out via fxp0
> > ipfw: 70 Accept TCP 192.168.7.2:54619 <remote IP>:1025 out via fxp0
> >

>From the looks of that log entry, he's created a double NAT with 192.168.7.2
being the IP of fxp0, his outside interface. If his next link (router?)
isn't configured to do NAT for the range he's using on fxp0, he'll not have
a back channel for the traffic to respond to and routing will fail. The end
result, is the problem that he's encountering.

<snip>

> > options         IPFILTER_DEFAULT_BLOCK  #block all packets by default
> > options         IPFIREWALL              #firewall - need for mac
filtering
> > options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by

<snip>

> Your kernel is fine. Otherwise, you wouldn't have the ability to log or
> to diverd. The later would result in packets being throuwn away at rule
> 30.
>

He has both accept and block as the default configuration for the firewall.
That's not fine. I honestly don't know if it may cause a conflict with them
both defined nor which one would take precedence when both configured. I
would recommend removing one or the other for the default action he wishes
his firewall to take.

--

Micheal Patterson
Senior Communications Systems Engineer
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.