ipfw + natd => some sites won't work :-S

Emanuel Strobl Emanuel.strobl at gmx.net
Mon May 9 15:51:14 PDT 2005


Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
> Hi,
>
> I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like
> Google for instance does work, but many other don't. All other protocols

I guess you're using an A-DSL line with PPPoE, right?
If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the 
maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't 
know the machine behind the NAT box. Your NAT box has to alter the mss 
field in the TCP header because many sites have wrong configured firewalls 
which simply block all ICMP traffic, so the error from your router "must 
fragment" never reaches to originating host. So the sent packaet is too 
big to go over your line and the "Must Fragment" bit is ingnored... you'll 
never receive what you've requested.

I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with 
"max-mss".

-Harry

> seems to be working properly. But why are sites failing to do anything?
> I got running natd with the verbose option and successfull request of
> google is indentical to a random other site :S
> The firewall I use is rather big. the most important piece is:
>
> 01200     723    652298 divert 8668 ip from any to 82.94.238.70 via fxp0
> 01200     521     85279 divert 8668 ip from 10.0.5.0/24 to any
> 01200       0         0 allow ip from any to 10.0.5.0/24
> 01201     524     85399 allow ip from 82.94.238.70 to any
> 01201       3       144 allow ip from any to 82.94.238.70
> 01500  871494 216106437 allow tcp from any to any established
>
>
> /etc/natd.conf is:
>
> alias_address %external_ip%
> verbose
>
>
> It just puzzles me why only some http request would fail and everything
> works fine!
> Anyone got any idea?
>
>
> Thanks in advanced,
>
> Frank de Bot
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050510/605ffbb1/attachment.bin


More information about the freebsd-questions mailing list