natd in 8.1

Коньков Евгений kes-kes at yandex.ru
Tue May 18 18:16:12 UTC 2010 

Здравствуйте, Casey.

What does natd with '-v' options shows? what is aliasing?

You must bind natd to external interface

NEVER DO: any to any divert!!!

NOTICE: no traffice go through this rule
CS> 05000     0        0 divert 8668 ip from any to any out via fxp0

NEVER DO: open firewall because of security reasons
CS> 05001    29     1484 allow ip from any to any

All 'ALLOW' rules are useless! because of 5001 rule


You drop all traffic before divert ;-) this make me confused a little
CS> 04000   752    24282 deny log logamount 10000 ip from any to any
CS> 05000     0        0 divert 8668 ip from any to any out via fxp0


NOTICE:
CS> 01200    29     1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state
maybe there some bugs in ipfw, try 4999


Please post where problem were for other readers with same question
thank

Вы писали 18 мая 2010 г., 18:51:10:

CS> I recently rebuilt a server from 7.x to 8.x.  Using the exact
CS> same firewall & natd config, natd appears not to be aliasing the
CS> private address when the traffic leaves the external interface. 
CS> When sniffing traffic w/ tcpdump, I see the private address as the
CS> source address on the outbound request. 

CS> e.g.

CS> 192.168.1.1  = internal source of request
CS> 74.75.76.77 = public address (website)
CS> 12.13.14.15 = 

CS>    Internal                                    External
192.168.1.10  ->>   74.75.76.77    (NAT)   192.168.1.10 ->  74.75.76.77


CS> Rather than  it should be:



CS>    Internal                                    External
192.168.1.10  ->>   74.75.76.77    (NAT)   12.13.14.15 ->  74.75.76.77


CS> Watching natd with ktrace shows that no traffic gets passed to
CS> natd when the source is internal, however external traffic passes through it.

CS> Firewall config:
CS> ---------------------------------------------------------------------------
CS> 00200 11946  3204818 allow ip from any to any via lo0
CS> 00300     0        0 deny ip from any to 127.0.0.0/8
CS> 00301    10      528 deny ip from any to 74.94.69.225 dst-port 445
CS> 00302     1       78 deny ip from any to 74.94.69.225 dst-port 137
CS> 00303     9      544 deny ip from any to 74.94.69.225 dst-port 135
CS> 00304     0        0 deny ip from 224.0.0.0/4 to any via fxp0
CS> 00305   671    18788 deny ip from any to 224.0.0.0/4 via fxp0
CS> 01000  9093  1158436 allow ip from any to any via em0
CS> 01050 51045  5205047 divert 8668 ip from any to any in via fxp0
CS> 01100     0        0 check-state
CS> 01100 69183 83429465 allow ip from me to any
CS> 01200    29     1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state
CS> 01201     0        0 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state
CS> 01202 45002  4690467 allow ip from any to any established
CS> 01800  1421    72620 allow tcp from any to me dst-port 20,21,53,76,80,123,443
CS> 01900     3      194 allow ip from 216.251.112.0/24,208.95.100.4 to any
CS> 02000   530   127559 allow udp from any 53 to any
CS> 02100   834    59414 allow udp from any to any dst-port 53
CS> 02150  1930   146680 allow udp from any 123 to me dst-port 123
CS> 02200   468    39312 allow icmp from any to any icmptypes 0,3,11
CS> 04000   752    24282 deny log logamount 10000 ip from any to any
CS> 05000     0        0 divert 8668 ip from any to any out via fxp0
CS> 05001    29     1484 allow ip from any to any
CS> 65535     0        0 deny ip from any to any
CS> ---------------------------------------------------------------------------

CS> natd.conf
CS> ---------------------------------------------------------------------------
CS> use_sockets
CS> same_ports
CS> unregistered_only
CS> interface fxp0

CS> redirect_port tcp 192.168.1.82:82       82
CS> redirect_port tcp 192.168.1.41:8082     8082
CS> redirect_port tcp 192.168.1.3:3389      3389
CS> redirect_port udp 192.168.1.3:3389      3389
CS> redirect_port tcp 192.168.1.6:6881-6889 6881-6889
CS> ---------------------------------------------------------------------------


CS> As I previously stated, this exact same config worked great in
CS> 7.x. I built a kernel in 8.x w/ IPFIREWALL & IPDIVERT, and
CS> reviewed UPDATING.  Have I missed something? 

CS> TIA,
CS> Casey

CS> _______________________________________________
CS> freebsd-questions at freebsd.org mailing list
CS> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
CS> To unsubscribe, send any mail to
CS> "freebsd-questions-unsubscribe at freebsd.org"



-- 
С уважением,
 Коньков                          mailto:kes-kes at yandex.ru

More information about the freebsd-questions mailing list