NAT broken in -CURRENT

Joe Marcus Clarke marcus at
Sat Dec 26 20:25:42 UTC 2009

First, let me apologize for the lack of details.  The NAT box is
currently unreachable due to this problem.  I will gather more details
when I get into work, but perhaps there is something obvious I am

I updated my -CURRENT box yesterday.  After a reboot, NAT no longer
works.  That is, if I have natd running with ipfw diverting packets to
it, the box is a big black hole.  No packets leave.  I do see all
packets being diverted to natd, but nothing leaves the box.  I have had
ipfw and divert compiled into the kernel for years on that box:

options	IPDIVERT

Combined with an "open" firewall (i.e. firewall_type is "open"), and the
following natd options in /etc/rc.conf, NAT always worked:

natd_flags="-s -m -skinny_port 2000"

( is the IPv4 address on the em0 interface on this box.  I
also have IPv6 configured on this box.)

I have a feeling the new ipfw code merged ~ 11 days ago is the cause of
the problem.  Thinking that perhaps the new modularity is causing this
problem, I also added the following two options to my kernel:

options	LIBALIAS

They did not help.  I have not tried using a purely modular ipfw/NAT
combination, but I will attempt that later today.  I didn't see anything
obvious in UPDATING.  Any suggestions, or any recommendations for
specific troubleshooting data to capture?  Thanks.


Joe Marcus Clarke
FreeBSD GNOME Team      ::      gnome at
FreeNode / #freebsd-gnome
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part
Url :

More information about the freebsd-current mailing list