problem with natd
Norhisham Khalil
ksham at pd.jaring.my
Mon Dec 1 22:29:50 PST 2003
Hi all,
i sent this msg using pine on 24th nov but when i checked the mailing
list,
it was not readable. strange i could read it with pine. so i send it
again. sorry for the inconvinience.
i build picobsd on Freebsd 4.9-RELEASE
the crunch.conf based on net with
user ppp, natd, ipfw2, sshd and ee
the ppp and internet connect is working fine with firewall open.
i have problem only when i use my custom firewall script with natd.
i build pico with these step below:
in kernel conf PICOBSD, i have these
options IPFIREWALL
options IPDIVERT
options IPFW2
i launch ppp with rc.local and used a customed ipfw rules invoked by the
rc.firewall script.
firewall_enable="YES"
firewall_type="/etc/fwrules"
rc.local
#!/bin/sh
#swapon /dev/ad0s1b #plenty space on harddisk, a swap is not a
big deal.
ppp -auto papchap
natd -interface tun0
ns would look like this after the dialup connection
Routing table:
--------------
Destination Gateway Flags Netif Use
default 61.6.142.2 UGSc tun0 20
10.0.0.0/27 link#3 UC ed0 0
10.0.0.5 link#3 UHLW ed0 32
10.0.0.32/27 link#1 UC ep0 0
10.0.0.64/27 link#2 UC ep1 0
61.6.142.2 61.6.142.145 UH tun0 0
127.0.0.1 127.0.0.1 UH lo0 0
it seemed that there are traffic going out but no trafic coming back
ipfw -d show
00010 0 0 allow ip from any to any via lo0
00020 0 0 deny ip from 127.0.0.0/8 to 127.0.0.0/8
00100 12 655 divert 8668 ip from any to any via tun0
00200 0 0 check-state
00220 0 0 deny tcp from any to any established
00250 0 0 deny ip from 10.0.0.0/8 to any in via tun0
00251 0 0 deny ip from 192.168.0.0/16 to any in via tun0
00252 0 0 deny ip from 172.16.0.0/12 to any in via tun0
00253 0 0 deny ip from any to 10.0.0.0/8 in via tun0
00254 0 0 deny ip from any to 172.16.0.0/12 in via tun0
00255 0 0 deny ip from any to 192.168.0.0/16 in via tun0
00300 0 0 allow tcp from me to any out via lo0 setup
keep-state
00310 0 0 deny tcp from me to any out via lo0
00320 0 0 allow ip from me to any out via lo0 keep-state
00400 0 0 allow tcp from me to any out setup keep-state
00410 0 0 deny tcp from me to any
00420 9 523 allow ip from me to any out keep-state
00510 0 0 allow tcp from 10.0.0.0/24 to any setup keep-state
00520 0 0 deny tcp from 10.0.0.0/24 to any
00530 0 0 allow ip from 10.0.0.0/24 to any out keep-state
00600 0 0 allow tcp from any to me dst-port 22 in setup
keep-state
00700 9 523 allow udp from any to 192.228.128.20 dst-port 53
00710 0 0 allow udp from 192.228.128.20 53 to any
00720 0 0 allow udp from any to 132.239.1.6 dst-port 123
00730 0 0 allow udp from 132.239.1.6 123 to any
00740 0 0 reset tcp from any to me dst-port 113 in
00800 0 0 allow icmp from any to any icmptypes
0,3,8,11,12,13,14
00900 3 132 deny ip from any to any
65535 0 0 deny ip from any to any
## Dynamic rules (5):
00420 0 0 (1s) STATE udp 10.0.0.1 1030 <-> 192.228.128.20 53
00420 0 0 (4s) STATE udp 10.0.0.1 1031 <-> 192.228.128.20 53
00420 0 0 (9s) STATE udp 10.0.0.1 1032 <-> 192.228.128.20 53
i run the same rules on full blown freebsd 4.9 machine, and it works.
here the ipfw -d show on another machine.
00400 25 4704 allow tcp from me to any out setup keep-state
00410 0 0 deny tcp from me to any
00420 40 2946 allow ip from me to any out keep-state
## Dynamic rules (36):
00400 7 3800 (201s) STATE tcp 61.6.117.188 1026 <-> 61.6.32.105
80
see the natd did not get the correct ip for tun0.
i think there is something wrong with natd on my pico.
Connection without natd (firewall_type=open) works, i think it is only
natd, do i miss something?
sham khalil
----------------------------------------------------------------
This e-mail has been sent via JARING webmail at http://www.jaring.my
More information about the freebsd-small
mailing list