problems with ipfw + natd rules

Prodigy prodigy at punktas.lt
Wed Mar 31 09:29:26 PST 2004 

Hello,

i have a problem with ipfw + natd. The problem is that my FreeBSD server
isn't routing internet. First I have used FreeBSD4.9-STABLE, then i tried to
upgrade to FreeBSD4.9-RELEASE-p4. Result is the same - no internet for lan
users. Take a look at my configuration files:

rc.conf:

defaultrouter="213.190.42.1"
hostname="localhost"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" # inside (lan)
interface
ifconfig_rl1="inet 213.190.42.48 netmask 255.255.255.0" # outside (internet)
interface
#some other stuff goes here
gateway_enable="YES"
natd_enable="YES"
natd_program="/sbin/natd"
natd_interface="rl1"
natd_flags=""
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.conf"
firewall_quiet="YES"
firewall_logging="YES"


ipfw.conf:

fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} add 100 divert 8668 ip from any to any via rl1
${fwcmd} add 200 pass ip from any to any via lo0
${fwcmd} add 300 deny log ip from any to 127.0.0.0/8
${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000
to any via rl1
${fwcmd} add 500 pass tcp from any to any
22,80,110,119,143,443,3306,5190,6667-7000 via rl1
${fwcmd} add 600 pass udp from any to any 53 via rl1
${fwcmd} add 700 pass udp from any 53 to any via rl1
${fwcmd} add 800 pass ip from any to any via rl0
${fwcmd} add 900 deny log all from any to any via rl1

# ipfw show

00100   80  48557 divert 8668 ip from any to any via rl1
00200    0      0 allow ip from any to any via lo0
00300    0      0 deny log ip from any to 127.0.0.0/8
00400   54  59678 allow tcp from any
22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1
00500   26   1473 allow tcp from any to any dst-port
22,80,110,119,143,443,3306,5190,6667-7000 via rl1
00600    3    177 allow udp from any to any dst-port 53 via rl1
00700    0      0 allow udp from any 53 to any via rl1
00800  226 101368 allow ip from any to any via rl0
00900   62  40857 deny log ip from any to any via rl1
65535 1598 333640 deny ip from any to any


/etc/sysctl.conf:

net.link.ether.ipfw=1


# cat /etc/services | grep natd
natd            8668/divert # Network Address Translation


When I comment out 400 and 500 rules and add "allow all from any to any via
rl1" it's all ok. The problem is somewhere in 400 and 500 rules.

More information about the freebsd-questions mailing list