natd in 8.1

Casey Scott casey at phantombsd.org
Tue May 18 16:09:46 UTC 2010


I recently rebuilt a server from 7.x to 8.x.  Using the exact same firewall & natd config, natd appears not to be aliasing the private address when the traffic leaves the external interface.  When sniffing traffic w/ tcpdump, I see the private address as the source address on the outbound request. 

e.g.

192.168.1.1  = internal source of request
74.75.76.77 = public address (website)
12.13.14.15 = 

   Internal                                    External
192.168.1.10  ->   74.75.76.77    (NAT)   192.168.1.10 ->  74.75.76.77


Rather than  it should be:



   Internal                                    External
192.168.1.10  ->   74.75.76.77    (NAT)   12.13.14.15 ->  74.75.76.77


Watching natd with ktrace shows that no traffic gets passed to natd when the source is internal, however external traffic passes through it.

Firewall config:
---------------------------------------------------------------------------
00200 11946  3204818 allow ip from any to any via lo0
00300     0        0 deny ip from any to 127.0.0.0/8
00301    10      528 deny ip from any to 74.94.69.225 dst-port 445
00302     1       78 deny ip from any to 74.94.69.225 dst-port 137
00303     9      544 deny ip from any to 74.94.69.225 dst-port 135
00304     0        0 deny ip from 224.0.0.0/4 to any via fxp0
00305   671    18788 deny ip from any to 224.0.0.0/4 via fxp0
01000  9093  1158436 allow ip from any to any via em0
01050 51045  5205047 divert 8668 ip from any to any in via fxp0
01100     0        0 check-state
01100 69183 83429465 allow ip from me to any
01200    29     1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state
01201     0        0 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state
01202 45002  4690467 allow ip from any to any established
01800  1421    72620 allow tcp from any to me dst-port 20,21,53,76,80,123,443
01900     3      194 allow ip from 216.251.112.0/24,208.95.100.4 to any
02000   530   127559 allow udp from any 53 to any
02100   834    59414 allow udp from any to any dst-port 53
02150  1930   146680 allow udp from any 123 to me dst-port 123
02200   468    39312 allow icmp from any to any icmptypes 0,3,11
04000   752    24282 deny log logamount 10000 ip from any to any
05000     0        0 divert 8668 ip from any to any out via fxp0
05001    29     1484 allow ip from any to any
65535     0        0 deny ip from any to any
---------------------------------------------------------------------------

natd.conf
---------------------------------------------------------------------------
use_sockets
same_ports
unregistered_only
interface fxp0

redirect_port tcp 192.168.1.82:82       82
redirect_port tcp 192.168.1.41:8082     8082
redirect_port tcp 192.168.1.3:3389      3389
redirect_port udp 192.168.1.3:3389      3389
redirect_port tcp 192.168.1.6:6881-6889 6881-6889
---------------------------------------------------------------------------


As I previously stated, this exact same config worked great in 7.x. I built a kernel in 8.x w/ IPFIREWALL & IPDIVERT, and reviewed UPDATING.  Have I missed something? 

TIA,
Casey



More information about the freebsd-questions mailing list