From owner-freebsd-questions Mon Feb 18 5:22:59 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.dslextreme.com (ns1-old.dslextreme.com [63.203.107.15]) by hub.freebsd.org (Postfix) with ESMTP id A14C837B400; Mon, 18 Feb 2002 05:22:53 -0800 (PST) Received: from athena.dslextreme.com (adsl-66.51.201.26.dslextreme.com [66.51.201.26]) by ns1.dslextreme.com (8.12.1/8.12.1) with ESMTP id g1I1wK81019398; Sun, 17 Feb 2002 17:58:20 -0800 Message-Id: <5.1.0.14.0.20020217180513.00a72df0@mail.dslextreme.com> X-Sender: tfulmer@mail.dslextreme.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 17 Feb 2002 18:08:07 -0800 To: "Crist J. Clark" From: Tim Fulmer Subject: Re: natd and redirect_port Cc: freebsd-questions@FreeBSD.org In-Reply-To: <20020217010330.I48401@blossom.cjclark.org> References: <000a01c1b5bf$b94b5ef0$f2dca8c0@athena> <000a01c1b5bf$b94b5ef0$f2dca8c0@athena> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 01:03 AM 2/17/2002 -0800, you wrote: >On Thu, Feb 14, 2002 at 05:25:59PM -0800, Tim Fulmer wrote: > > > > > > Hi All, > > > > Having a bit of trouble with natd. > > > > Here's the setup : > > > > Internet > > | > > 66.Q.X.Y > > 192.168.A.1---->192.168.A.2 > > 192.168.B.1 > > +--->192.168.B.2 > > > > I am browsing from 192.168.B.2. > > > > compiled a kernel with added options : > > > > options CPU_FASTER_5X86_FPU > > options NO_F00F_HACK > > options TCP_DROP_SYNFIN > > options IPFIREWALL > > options IPFIREWALL_FORWARD > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=100 > > options IPDIVERT > > > > > > relevant rc.conf : > > > > gateway_enable="YES" > > ifconfig_rl0="inet 66.Q.X.Y netmask 255.255.255.0" > > ifconfig_rl0_alias0="inet 66.Q.X.Z netmask 255.255.255.255" > > firewall_enable="YES" > > firewall_type="OPEN" > > natd_enable="YES" > > natd_interface="rl0" > > natd_flags="-f /etc/natd.conf" > > > > > > and natd.conf : > > > > redirect_port tcp 192.168.A.2:80 80 > > > > > > and am still getting the local apache installation when I point a > browser at 66.Q.X.Y, though the connection sharing works fine from both > internal nets. At some point in the future redirect_address may also be > a good idea, but right now that is non-functional as well. > > > > Any suggestions would be greatly appreciated. > >You are saying that the redirect does not work when you try to connect >from the NAT'ed network? This is expected. When you send the SYN to >66.Q.X.Y it goes to the gateway on the internal interface. It goes >through your firewall rules and is either accepted or denied (you >didn't show us the rules). If it is denied, story over. If it is >accepted, the machine recognizes 66.Q.X.Y as its own address and >processes the packet. And you are apparently running a webserver on >this machine so it responds as expected. > >This is apparently not what you expect? natd(8) is only passed packets >from ipfw(8) via the 'divert' rule when the packets are crossing the >rl0 interface. In this situation, the packets never cross rl0, never >go to natd(8), and translation will never occur. >-- >Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu >http://people.freebsd.org/~cjc/ | cjc@freebsd.org Yep, jumped across the street to the library and it worked just fine. Thanks, I was going crazy on that one. - tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message