ipfw/natd in 8.1
Casey Scott
casey at phantombsd.org
Fri May 28 19:10:12 UTC 2010
Since a rebuild to FBSD 8.1, I can't get natd to function correctly. Below is my ipfw config. It closely follows the example in the Handbook.
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html (30.6.5.7 An Example NAT and Stateful Ruleset -- Ruleset #1)
firewall config (logging enabled temporarily while troubleshooting)
============================================================================
00003 16133 2323153 allow ip from any to any via em0
00004 672 144006 allow ip from any to any via lo0
00100 96 5322 divert 8668 log ip from any to any in via fxp0
00101 0 0 check-state
00120 64 4542 skipto 500 log udp from any to any out via fxp0 keep-state
00125 203 49916 skipto 500 log tcp from any to any out via fxp0 setup keep-state
00130 26 2184 skipto 500 icmp from any to any out via fxp0 keep-state
00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0
00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0
00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0
00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0
00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0
00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0
00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0
00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0
00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0
00400 10 1306 allow log udp from any to any dst-port 53,123 in keep-state
00401 0 0 allow log icmp from any to any icmptypes 0,3,11
00420 9 1112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
00450 24 876 deny log logamount 10000 ip from any to any
00500 293 56642 divert 8668 log ip from any to any
00510 78 21591 allow log ip from any to any
65535 262 18726 deny ip from any to any
============================================================================
/etc/natd.conf
============================================================================
use_sockets
same_ports
unregistered_only
interface fxp0
============================================================================
Natd only properly NATs the first packet out:
# /sbin/natd -v -f /etc/natd.conf
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
natd[10702]: Aliasing to 74.94.69.225, mtu 1500 bytes
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 74.94.69.225:61447 -> 65.61.153.152:80
In {default}[TCP] [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to
[TCP] 65.61.153.152:80 -> 192.168.1.6:61447
In {default}[TCP] [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to
[TCP] 65.61.153.152:80 -> 192.168.1.6:61447
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
In {default}[TCP] [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to
[TCP] 65.61.153.152:80 -> 192.168.1.6:61447
In {default}[TCP] [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to
[TCP] 65.61.153.152:80 -> 192.168.1.6:61447
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
[TCP] 192.168.1.6:61447 -> 65.61.153.152:80
I'm not sure why this happens! Same config worked w/ FBSD 7x.
TIA,
Casey
More information about the freebsd-questions
mailing list