natd not doing anything

Alex de Kruijff freebsd at akruijff.dds.nl
Wed Sep 29 08:51:54 PDT 2004 

On Wed, Sep 29, 2004 at 10:33:13AM -0500, Micheal Patterson wrote:
> From: "Alex de Kruijff" <freebsd at akruijff.dds.nl>
> > I changed the list from current@ to questions@, since you question is
> > not only for CURRENT.
> >
> > On Tue, Sep 28, 2004 at 09:11:39PM +1000, Rebecca Dridan wrote:
> > > Hi all:
> > >
> > > I am having some issues with network set-up. I'm running CURRENT as of
> > > 26th September, with an ipfw firewall and natd. I have one gateway
> > > machine with one external NIC and 3 internal NICs. At present nothing
> from
> > > my internal machines can get out. I've reduced the firewall
> (temporarily) to
> > > a basic
> > > ipfw -f flush
> > > divert natd ip from any to any via fxp0
> > > allow ip from any to any
> > >
> > > When I turn logging on, I see the packets being diverted, and then
> > > accepted by later rules, but not being rewritten in between, ie
> > >
> > > ipfw: 30 Divert 8668 TCP 192.168.7.2:54619 <remote IP>:1025 out via fxp0
> > > ipfw: 70 Accept TCP 192.168.7.2:54619 <remote IP>:1025 out via fxp0
> > >
> 
> >From the looks of that log entry, he's created a double NAT with 192.168.7.2
> being the IP of fxp0, his outside interface. If his next link (router?)
> isn't configured to do NAT for the range he's using on fxp0, he'll not have
> a back channel for the traffic to respond to and routing will fail. The end
> result, is the problem that he's encountering.
> 
> <snip>
> 
> > > options         IPFILTER_DEFAULT_BLOCK  #block all packets by default
> > > options         IPFIREWALL              #firewall - need for mac
> filtering
> > > options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by
> 
> <snip>
> 
> > Your kernel is fine. Otherwise, you wouldn't have the ability to log or
> > to diverd. The later would result in packets being throuwn away at rule
> > 30.
> 
> He has both accept and block as the default configuration for the firewall.
> That's not fine. I honestly don't know if it may cause a conflict with them
> both defined nor which one would take precedence when both configured. I
> would recommend removing one or the other for the default action he wishes
> his firewall to take.

This is not a problem. First ipfw and ipf are two different firewall
rules. Its perfectly ok for one to deny everything by default and the
other to accept everything. Also both firewalls can be used to gether.
Secondly where one to set something like this for one firewall, then
that firewall would most likly pick only one setting.

He probly don't use ipf and thus can remove IPFILTHER lines. All this
does is to make the kernel a bit smaller.

-- 
Alex

Articles based on solutions that I use:
http://www.kruijff.org/alex/FreeBSD/

More information about the freebsd-questions mailing list