From owner-freebsd-questions Tue Oct 8 12:28:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7361737B425 for ; Tue, 8 Oct 2002 12:28:33 -0700 (PDT) Received: from smtprelay8.dc2.adelphia.net (smtprelay8.dc2.adelphia.net [64.8.50.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66C3F43E88 for ; Tue, 8 Oct 2002 12:28:32 -0700 (PDT) (envelope-from barbish@a1poweruser.com) Received: from barbish ([68.65.175.62]) by smtprelay8.dc2.adelphia.net (Netscape Messaging Server 4.15) with SMTP id H3OGRH01.69Y; Tue, 8 Oct 2002 15:28:29 -0400 Reply-To: From: "JoeB" To: "Kim Helenius" , Subject: RE: Puzzling NATD problem - revisited Date: Tue, 8 Oct 2002 15:28:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <3DA2D9D0.6050908@kepa.fi> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You state Network topology: Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host Internet is public ip address, if Campus Network private ip address then you can not nat them again, if Campus Network is public ip address then you should nat x11 for the private ip address on the lan behind the FBSD box. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kim Helenius Sent: Tuesday, October 08, 2002 9:13 AM To: freebsd-questions@FreeBSD.ORG Subject: Puzzling NATD problem - revisited The setting: Network topology: Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host A custom kernel build including the following options: options IPFIREWALL options IPDIVERT Used the command: sysctl net.inet.ip.forwarding=1 And started natd with natd -interface xl0 Then did, straight from the manpage, the following firewall rules: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via xl0 /sbin/ipfw add pass all from any to any Now NAT works perfectly for the internal host, but (almost) all TCP connections cease to work to/from the NATD machine. AFAIK UDP and ICMP work perfectly. I've tried this on two different FreeBSD machines in the same network with identical results. If I remove the divert rule, everything works perfectly, except of course for the NAT. There have been no similar, puzzling effects on any Linux hosts I know of in the same network. Therefore I'm sure there's some knob I haven't pushed yet :) I'm aware this doesn't make much of a firewall but I'd like to get natd working before I run the firewall script. -- Kim Helenius kim.helenius@kepa.fi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message