natd in 8.1
Коньков Евгений
kes-kes at yandex.ru
Tue May 18 18:16:12 UTC 2010
Здравствуйте, Casey.
What does natd with '-v' options shows? what is aliasing?
You must bind natd to external interface
NEVER DO: any to any divert!!!
NOTICE: no traffice go through this rule
CS> 05000 0 0 divert 8668 ip from any to any out via fxp0
NEVER DO: open firewall because of security reasons
CS> 05001 29 1484 allow ip from any to any
All 'ALLOW' rules are useless! because of 5001 rule
You drop all traffic before divert ;-) this make me confused a little
CS> 04000 752 24282 deny log logamount 10000 ip from any to any
CS> 05000 0 0 divert 8668 ip from any to any out via fxp0
NOTICE:
CS> 01200 29 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state
maybe there some bugs in ipfw, try 4999
Please post where problem were for other readers with same question
thank
Вы писали 18 мая 2010 г., 18:51:10:
CS> I recently rebuilt a server from 7.x to 8.x. Using the exact
CS> same firewall & natd config, natd appears not to be aliasing the
CS> private address when the traffic leaves the external interface.
CS> When sniffing traffic w/ tcpdump, I see the private address as the
CS> source address on the outbound request.
CS> e.g.
CS> 192.168.1.1 = internal source of request
CS> 74.75.76.77 = public address (website)
CS> 12.13.14.15 =
CS> Internal External
192.168.1.10 ->> 74.75.76.77 (NAT) 192.168.1.10 -> 74.75.76.77
CS> Rather than it should be:
CS> Internal External
192.168.1.10 ->> 74.75.76.77 (NAT) 12.13.14.15 -> 74.75.76.77
CS> Watching natd with ktrace shows that no traffic gets passed to
CS> natd when the source is internal, however external traffic passes through it.
CS> Firewall config:
CS> ---------------------------------------------------------------------------
CS> 00200 11946 3204818 allow ip from any to any via lo0
CS> 00300 0 0 deny ip from any to 127.0.0.0/8
CS> 00301 10 528 deny ip from any to 74.94.69.225 dst-port 445
CS> 00302 1 78 deny ip from any to 74.94.69.225 dst-port 137
CS> 00303 9 544 deny ip from any to 74.94.69.225 dst-port 135
CS> 00304 0 0 deny ip from 224.0.0.0/4 to any via fxp0
CS> 00305 671 18788 deny ip from any to 224.0.0.0/4 via fxp0
CS> 01000 9093 1158436 allow ip from any to any via em0
CS> 01050 51045 5205047 divert 8668 ip from any to any in via fxp0
CS> 01100 0 0 check-state
CS> 01100 69183 83429465 allow ip from me to any
CS> 01200 29 1484 skipto 5000 ip from 192.168.1.0/24 to any out via fxp0 setup keep-state
CS> 01201 0 0 skipto 5000 udp from 192.168.1.0/24 to any out via fxp0 keep-state
CS> 01202 45002 4690467 allow ip from any to any established
CS> 01800 1421 72620 allow tcp from any to me dst-port 20,21,53,76,80,123,443
CS> 01900 3 194 allow ip from 216.251.112.0/24,208.95.100.4 to any
CS> 02000 530 127559 allow udp from any 53 to any
CS> 02100 834 59414 allow udp from any to any dst-port 53
CS> 02150 1930 146680 allow udp from any 123 to me dst-port 123
CS> 02200 468 39312 allow icmp from any to any icmptypes 0,3,11
CS> 04000 752 24282 deny log logamount 10000 ip from any to any
CS> 05000 0 0 divert 8668 ip from any to any out via fxp0
CS> 05001 29 1484 allow ip from any to any
CS> 65535 0 0 deny ip from any to any
CS> ---------------------------------------------------------------------------
CS> natd.conf
CS> ---------------------------------------------------------------------------
CS> use_sockets
CS> same_ports
CS> unregistered_only
CS> interface fxp0
CS> redirect_port tcp 192.168.1.82:82 82
CS> redirect_port tcp 192.168.1.41:8082 8082
CS> redirect_port tcp 192.168.1.3:3389 3389
CS> redirect_port udp 192.168.1.3:3389 3389
CS> redirect_port tcp 192.168.1.6:6881-6889 6881-6889
CS> ---------------------------------------------------------------------------
CS> As I previously stated, this exact same config worked great in
CS> 7.x. I built a kernel in 8.x w/ IPFIREWALL & IPDIVERT, and
CS> reviewed UPDATING. Have I missed something?
CS> TIA,
CS> Casey
CS> _______________________________________________
CS> freebsd-questions at freebsd.org mailing list
CS> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
CS> To unsubscribe, send any mail to
CS> "freebsd-questions-unsubscribe at freebsd.org"
--
С уважением,
Коньков mailto:kes-kes at yandex.ru
More information about the freebsd-questions
mailing list