From owner-freebsd-questions Thu Sep 13 15:14:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 211F637B40D for ; Thu, 13 Sep 2001 15:14:14 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f8DME7N34393; Thu, 13 Sep 2001 17:14:07 -0500 (CDT) (envelope-from nick@rogness.net) Date: Thu, 13 Sep 2001 17:14:07 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Sheldon Hearn Cc: freebsd-questions@FreeBSD.ORG Subject: Re: NATD address_redirect kills host's connectivity In-Reply-To: <57469.1000404267@axl.seasidesoftware.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 13 Sep 2001, Sheldon Hearn wrote: [snip] > I've followed all the instructions as best I can. I have IPFIREWALL, > IPFIREWALL_FORWARD and DIVERT in my kernel. I booted this new kernel > with gateway_enable="YES" in rc.conf. > > I start natd as follows: > > /sbin/natd -f /etc/natd.conf > > ---- /etc/natd.conf > interface ep0 > > # Sheldon's workstation > redirect_address 10.0.0.2 196.31.7.201 > ---- Looks OK. > > I have my workstation's public address configured as an alias on ep0: > > ---- ifconfig ep0 > ifconfig ep0 > ep0: flags=8843 mtu 1500 > inet 196.31.7.199 netmask 0xfffffff0 broadcast 196.31.7.207 > inet 196.31.7.201 netmask 0xffffffff broadcast 196.31.7.201 > ---- > > My custom firewall rules are in /etc/firewall.local and rc.conf > contains firewall_type="/etc/firewall.local". > > ---- /etc/firewall.local > add divert natd all from any to any via ep0 > > add allow all from any to any > ---- > Do an `ipfw -a l` at the prompt and send the output back. > Without the redirect_address line in /etc/natd.conf, my workstation > has connectivity to public addresses. Without it, the only public > address in the universe to which my host can connect is its own. > > Is there something subtle I've missed? Or perhaps I need something > more in my firewall rules that the NAT section of the Handbook > neglects to mention? > Is your alias address reachable from the outside world? Turn off natd and corresponding ipfw rule and just try to hit your alias address from the outside. You should be able to reach it (via telnet or ssh or whatever). Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message