Problem with natd

Sham Khalil ksham at pd.jaring.my
Sun Nov 23 05:08:55 PST 2003 

Hi all,

i build picobsd on Freebsd 4.9-RELEASE
the crunch.conf based on net with
user ppp, natd, ipfw2, sshd and ee

in kernel conf PICOBSD, i have these
	options         IPFIREWALL
	options         IPDIVERT
	options         IPFW2

i launch ppp with rc.local and used a customed ipfw rules invoked by the rc.firewall script.
	firewall_enable="YES"
	firewall_type="/etc/fwrules"

	 rc.local
	#!/bin/sh
	#swapon /dev/ad0s1b  #plenty space on harddisk, a swap is not a big deal.
	ppp -auto papchap
	natd -interface tun0


 ns  would look like this after the dialup connection 
	Routing table:
	--------------
	Destination        Gateway            Flags       Netif  Use
	default            61.6.142.2         UGSc        tun0    20
	10.0.0.0/27        link#3             UC          ed0    0
	10.0.0.5           link#3             UHLW        ed0    32
	10.0.0.32/27       link#1             UC          ep0    0
	10.0.0.64/27       link#2             UC          ep1    0
	61.6.142.2         61.6.142.145       UH          tun0    0
	127.0.0.1          127.0.0.1          UH          lo0    0

it seemed that there are traffic going out but no trafic coming back
 
 	ipfw -d show
	00010  0   0 allow ip from any to any via lo0
	00020  0   0 deny ip from 127.0.0.0/8 to 127.0.0.0/8
	00100 12 655 divert 8668 ip from any to any via tun0
	00200  0   0 check-state
	00220  0   0 deny tcp from any to any established
	00250  0   0 deny ip from 10.0.0.0/8 to any in via tun0
	00251  0   0 deny ip from 192.168.0.0/16 to any in via tun0
	00252  0   0 deny ip from 172.16.0.0/12 to any in via tun0
	00253  0   0 deny ip from any to 10.0.0.0/8 in via tun0	
	00254  0   0 deny ip from any to 172.16.0.0/12 in via tun0
	00255  0   0 deny ip from any to 192.168.0.0/16 in via tun0
	00300  0   0 allow tcp from me to any out via lo0 setup keep-state
	00310  0   0 deny tcp from me to any out via lo0
	00320  0   0 allow ip from me to any out via lo0 keep-state
	00400  0   0 allow tcp from me to any out setup keep-state
	00410  0   0 deny tcp from me to any
	00420  9 523 allow ip from me to any out keep-state
	00510  0   0 allow tcp from 10.0.0.0/24 to any setup keep-state
	00520  0   0 deny tcp from 10.0.0.0/24 to any
	00530  0   0 allow ip from 10.0.0.0/24 to any out keep-state
	00600  0   0 allow tcp from any to me dst-port 22 in setup keep-state
	00700  9 523 allow udp from any to 192.228.128.20 dst-port 53
	00710  0   0 allow udp from 192.228.128.20 53 to any
	00720  0   0 allow udp from any to 132.239.1.6 dst-port 123
	00730  0   0 allow udp from 132.239.1.6 123 to any
	00740  0   0 reset tcp from any to me dst-port 113 in
	00800  0   0 allow icmp from any to any icmptypes 0,3,8,11,12,13,14
	00900  3 132 deny ip from any to any
	65535  0   0 deny ip from any to any
	## Dynamic rules (5):
	00420  0   0 (1s) STATE udp 10.0.0.1 1030 <-> 192.228.128.20 53
	00420  0   0 (4s) STATE udp 10.0.0.1 1031 <-> 192.228.128.20 53
	00420  0   0 (9s) STATE udp 10.0.0.1 1032 <-> 192.228.128.20 53



i run the same rules on full blown freebsd 4.9 machine, and it works.
here the ipfw -d show on another machine. 
	00400 25 4704 allow tcp from me to any out setup keep-state
	00410  0    0 deny tcp from me to any
	00420 40 2946 allow ip from me to any out keep-state
	## Dynamic rules (36):
	00400  7 3800 (201s) STATE tcp 61.6.117.188 1026 <-> 61.6.32.105 80

see the natd did not get the correct ip for tun0. 
i think there is something wrong with natd.
Connection without natd (firewall_type=open) works, i think it is only natd, do i miss something?

sham khalil

More information about the freebsd-small mailing list