ipfw + natd

Philip Payne philip.payne at uk.mci.com
Thu May 8 06:50:27 PDT 2003


> -----Original Message-----
> From: Wayne Swart [mailto:fixx at fixx.co.za]
> Sent: 08 May 2003 13:31
> To: FreeBSD Mailing list
> Subject: ipfw + natd
> Lo
> I am running FreeBSD4.8-RELEASE and have a problem with ipfw and natd.
> the two interfaces (dc0 and dc1) have the following ip setup.
> dc1 ip:
> dc0 ip: 196.x.x.x
> now i can't do any requests through my box to "the outside" 
> anymore, since
> i added a default to deny rule.
> i use the following ipfw rules for the nat, but it does not 
> seem to have
> any impact on the requests that has to go through it.
> ipfw add divert natd all from any to any via dc0 out keep-state
> ipfw add allow all from to any via dc0 out keep-state
> ipfw add allow all from to any via dc1 in keep-state
> is there an easier way to troubleshoot this?
> any help is appreciated...

Generally speaking, a good way to start is to switch on logging on every
rule and also include a specific deny all rule that logs at the end of your
rules list. That way, you guarantee picking up what traffic is being dropped
and by what rule.... therefore , you can start to see what useful traffic
the previous default allow was letting through and allow it specifically.

If your log is too noisy you'll either need to manipulate the output using
grep -v or perl.... or an alternative is to start introducing more specific
rules that do not log to filter out the noise.

Once you're sorted, switch off the logging.

Hope that helps.


More information about the freebsd-questions mailing list