Date: Sun, 17 Feb 2002 01:03:30 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Tim Fulmer <tfulmer@dslextreme.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd and redirect_port Message-ID: <20020217010330.I48401@blossom.cjclark.org> In-Reply-To: <000a01c1b5bf$b94b5ef0$f2dca8c0@athena>; from tfulmer@dslextreme.com on Thu, Feb 14, 2002 at 05:25:59PM -0800 References: <000a01c1b5bf$b94b5ef0$f2dca8c0@athena>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 14, 2002 at 05:25:59PM -0800, Tim Fulmer wrote:
>
>
> Hi All,
>
> Having a bit of trouble with natd.
>
> Here's the setup :
>
> Internet
> |
> 66.Q.X.Y
> 192.168.A.1---->192.168.A.2
> 192.168.B.1
> +--->192.168.B.2
>
> I am browsing from 192.168.B.2.
>
> compiled a kernel with added options :
>
> options CPU_FASTER_5X86_FPU
> options NO_F00F_HACK
> options TCP_DROP_SYNFIN
> options IPFIREWALL
> options IPFIREWALL_FORWARD
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options IPDIVERT
>
>
> relevant rc.conf :
>
> gateway_enable="YES"
> ifconfig_rl0="inet 66.Q.X.Y netmask 255.255.255.0"
> ifconfig_rl0_alias0="inet 66.Q.X.Z netmask 255.255.255.255"
> firewall_enable="YES"
> firewall_type="OPEN"
> natd_enable="YES"
> natd_interface="rl0"
> natd_flags="-f /etc/natd.conf"
>
>
> and natd.conf :
>
> redirect_port tcp 192.168.A.2:80 80
>
>
> and am still getting the local apache installation when I point a browser at 66.Q.X.Y, though the connection sharing works fine from both internal nets. At some point in the future redirect_address may also be a good idea, but right now that is non-functional as well.
>
> Any suggestions would be greatly appreciated.
You are saying that the redirect does not work when you try to connect
from the NAT'ed network? This is expected. When you send the SYN to
66.Q.X.Y it goes to the gateway on the internal interface. It goes
through your firewall rules and is either accepted or denied (you
didn't show us the rules). If it is denied, story over. If it is
accepted, the machine recognizes 66.Q.X.Y as its own address and
processes the packet. And you are apparently running a webserver on
this machine so it responds as expected.
This is apparently not what you expect? natd(8) is only passed packets
from ipfw(8) via the 'divert' rule when the packets are crossing the
rl0 interface. In this situation, the packets never cross rl0, never
go to natd(8), and translation will never occur.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020217010330.I48401>