Date: Thu, 11 Oct 2001 21:10:04 -0500 From: David Kelly <dkelly@hiwaay.net> To: freebsd-questions@FreeBSD.ORG Cc: Louis LeBlanc <leblanc+freebsd@smtp.ne.mediaone.net> Subject: Re: IPFW, natd, and one big headache Message-ID: <200110120210.f9C2A4w07976@grumpy.dyndns.org> In-Reply-To: Message from Louis LeBlanc <leblanc%2Bfreebsd@smtp.ne.mediaone.net> of "Thu, 11 Oct 2001 10:10:17 EDT." <20011011101016.A2983@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Louis LeBlanc writes: > On 10/11/01 11:08 AM, Roger Merritt sat at the `puter and typed: > > At 10:56 PM 10/10/01 -0400, you wrote: > > >On 10/10/01 09:10 PM, David Kelly sat at the `puter and typed: > > >> [. . .] > > <snip> > > = > > David's suggestions are good, and I'm going to try to preserve that e= -mail > > for future guidance, but let me suggest another resource: = > > <http://www.onlamp.com/pub/ct/15>; > = > Yes, I'd have to say it was helpful, but I'm confused about the > rule numbering. I've been having to count the rules out to put in the > whole number. From David's message, I had assumed that a xx50 format > would automatically order the rule at a step of 50. Doesn't look that > way. Oh well. It'd be nice . . . Don't count. Use "ipfw list" to see what current rules are in place. Then if you suspect the one numbered 1600 then, and right then, at the keyboard type the ipfw command to insert a clone of that rule (you have to retype it) at 1550. But this time add the "log" modifier. > Anyway, I tried a slightly modified version of Dan O'Connor's example > at mostgraveconcern.com, which I swear hosed my connection before, and > it came up fine this time. No nat still, I'm getting a > failed to write packet back (Permission denied) > error from natd in /var/log/security. OK, you now have natd writing to the security syslog channel, same as ipfw defaults. If the ipfw rule which blocked the re-written natd packet had "log" then both instances would be on one line after the other (or very close if you have a very busy host) and you could see both sides of the problem. The natd'd packets which are being blocked are blocked after your = divert rule. -- = David Kelly N4HHE, dkelly@hiwaay.net =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110120210.f9C2A4w07976>