Date: Thu, 09 Dec 1999 10:15:40 +0100 (CET) From: Martin Welk <mw@freibergnet.de> To: Roelof Osinga <roelof@nisser.com> Cc: FreeBSD Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: ifpw forwarding problem Message-ID: <XFMail.991209101540.mw@freibergnet.de> In-Reply-To: <384ED624.5EA4E41D@nisser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08-Dec-99 Roelof Osinga wrote:
() Thanks. I did do that, but for testing purposes I tried to redirect it
() through the other NIC as well. The natd has been told to listen only
() on the ep1 NIC.
As I understood it, you tell natd the interface it's going to work on for
the purpose that it get's is (probably dynamic) IP address from this
interface (the IP address it should use for translated packets).
You still have to pass the packets from the IP firewall to natd by divert
rules in the firewall ruleset.
() > use_sockets
() > same_ports
() > port 8668
() > deny_incoming no
() > alias_address aaa.aaa.aaa.aaa
() > redirect_port tcp bbb.bbb.bbb.bbb:5900 aaa.aaa.aaa.aaa:5900
()
() Second thing I tried, but with the difference that I rely
() on "deny incoming no" to be the default.
Take care at the spelling. I'm not sure about how tolerant natd is in
reading the options from a config file, they are slightly different.
My example is correct and the option is really called "deny_incoming"
(with the value "no").
() In my case though I would probably should be using proxy_rule with
() type encode_ip_hdr since it's intended for webtraffic. It would be
() nice to know where the hits are coming from.
You need this if you are going to setup rules for a transparent proxy,
but with redirect_address the packet should arrive with the original
address at the host in the internal network.
() Funny in that I did try with
()
() nisser:/home/www/Slak$ cat /etc/natd.conf
() # as used in rc.conf.local
() -use_sockets
() -same_ports
() #-redirect_port tcp 212.187.0.39:8080 10.0.0.3:80
Write it as
use_sockets yes
same_ports
redirect_port ...
() redirection enabled. It didn't work when accessing that IP address
() from within. Which is why I tried the internal NIC.
Argh! You're right, from the internal network I can't access the host with
it's external address. The same bug here! (This machines offers some web
services and FTP via NATD to the outside and obviously nobody tried to use
these services from our internal network :-) )
() Alas it did not work in my case. However, that was with
() IPFIREWALL_FORWARD
() enabled. Turned out that made my system quit unstable, or rather
() erratic.
Woah! Never really experienced such trouble.
options IPFIREWALL
IPFIREWALL_DEFAULT_TO_ACCEPT *
IPFIREWALL_FORWARD *
IPFIREWALL_VERBOSE
"IPFIREWALL_VERBOSE_LIMIT=100"
IPDIVERT
"ICMP_BANDLIM"
DUMMYNET *
All except those marked with * are running on our primary server that doesn
NAT for the internal network, the others are in my desktop machine's kernel.
Both run rock-stable with 3.3-STABLE.
Did you include IPDIVERT?
() Which reminds me, do you happen to know if natd responds to HUP? The
() manpage doesn't mention it.
No, it doesn't. I usually kill it before (re-) starting it. If this
behaviour has changed, I haven't noticed.
(I made the experience that in some circumstances starting a new natd after
killing the older one something didn't work properly anymore, especially on
a machine here with six Ethernet interfaces and three natd's running
parallel. I had to reboot it after doing very heavy changes :-) )
() Anyway, since my rules mimick your (barring the "deny_incoming no") and
() yours do work, I know at least it's not the rules. The natd rules, that
() is. I'll try with the kernel as is at the next opportunity.
Which version of FreeBSD are you running?
Regards,
Martin
--
FreibergNet Systemhaus GbR Martin Welk * Sales, Support
Systemhaus für Daten- und Netzwerktechnik phone +49 3731 781387
Unternehmensgruppe Liebscher & Partner fax +49 3731 781377
D-09599 Freiberg * Am St. Niclas Schacht 13 http://www.freibergnet.de/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.991209101540.mw>