From owner-freebsd-net  Mon Dec 28 15:50:57 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA14082
          for freebsd-net-outgoing; Mon, 28 Dec 1998 15:50:57 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from seg.fault.net (seg.fault.net [207.96.19.192])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA14075
          for <freebsd-net@freebsd.org>; Mon, 28 Dec 1998 15:50:53 -0800 (PST)
          (envelope-from awood@fault.net)
Received: (qmail 334 invoked by uid 1001); 28 Dec 1998 23:35:23 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 28 Dec 1998 23:35:23 -0000
Date: Mon, 28 Dec 1998 18:35:23 -0500 (EST)
From: austin wood <awood@fault.net>
To: freebsd-net@FreeBSD.ORG
Subject: NATD
Message-ID: <Pine.BSF.3.96.981228174023.240A-100000@seg.fault.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I have been expierencing a problem with natd in which connections get cut
off right after establishment.  I have my freebsd machine dialed up to my
ISP using pppd, and it acts as a gateway for the rest of my computers.
This setup usually works except on certain http sites.  With all other
protocols I have not expierenced any problems.  The problem is that when I
use netscape on another machine, I get stuck on "Waiting for reply..."  At
first I thought it was a hardware problem with the 3COM 509b because it
was happening in OpenBSD's ipnat as well, or maybe the programs are
extremely similiar.  However, this theory proved wrong when I tested it
with an Inter EtherExpress Pro.This happens on all of the computers except 
the main freebsd server.  Here is a list of sites that have the problem:
URLs with no descriptions are stuck on "Waiting for reply..."

	http://www.mobis.com/
	http://www.linuxhelp.org/  (can load everything except graphics)
	http://www.luke.net/
	http://www.download.com/ (can read first 700 bytes)
	http://www.filez.com/
	http://www.intel.com/  (gets stuck on transferring data)
	http://www.insecure.org/
	http://www.futurestep.com/
	http://www.ajax.net/

Here are some configuration files to help:
/etc/rc.conf:
firewall_enable="YES"      
firewall_type="NATD"
firewall_quiet="NO"
firewall_natd_interface="ppp0"
tcp_extensions="YES"
# NOTE:
#	If tcp extensions are  set to NO, some ftp sites are affected.
#	Examples:
#	ftp://mirrors.rcn.com/
#	ftp://ftp.xfree86.org/
network_interfaces="lo0 fxp0"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_fxp0="inet 10.0.0.1 255.255.255.0"
gateway_enable="YES"

/etc/rc.firewall:
if [ "x$firewall_quiet" = "xYES" ]; then
        fwcmd="/sbin/ipfw -q"
else
        fwcmd="/sbin/ipfw"
fi

if [ "${firewall_type}" = "natd" -o "${firewall_type}" = "NATD" ]; then

        $fwcmd -f flush
        $fwcmd add divert natd all from any to any via
${firewall_natd_interface
}
        $fwcmd add pass all from any to any
fi

/etc/services:
natd            8668/divert

I run natd with "natd -interface ppp0".

Here is an example of a connection to http://www.futurestep.com:
# natd -n ppp0 -v
Out [TCP]  10.0.0.2:2287 -> 209.143.199.28:80 aliased to
           207.96.19.192:2287 -> 209.143.199.28:80
Out [UDP]  10.0.0.2 -> 207.172.3.16 aliased to
           207.96.19.192 -> 207.172.3.16
In  [TCP]  209.143.199.28:80 -> 207.96.19.192:2287 aliased to
           209.143.199.28:80 -> 10.0.0.2:2287
In  [UDP]  207.172.3.16 -> 207.96.19.192 aliased to
           207.172.3.16 -> 10.0.0.2
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2291 aliased to
           128.11.10.41:80 -> 10.0.0.2:2291
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2291 aliased to
           128.11.10.41:80 -> 10.0.0.2:2291
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
Out [TCP]  10.0.0.2:2289 -> 209.143.199.28:80 aliased to
           207.96.19.192:2289 -> 209.143.199.28:80
Out [TCP]  10.0.0.2:2295 -> 128.11.10.41:80 aliased to
           207.96.19.192:2295 -> 128.11.10.41:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2291 aliased to
           128.11.10.41:80 -> 10.0.0.2:2291
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
In  [TCP]  209.143.199.28:80 -> 207.96.19.192:2289 aliased to
           209.143.199.28:80 -> 10.0.0.2:2289
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2291 aliased to
           128.11.10.41:80 -> 10.0.0.2:2291
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2295 aliased to
           128.11.10.41:80 -> 10.0.0.2:2295
Out [TCP]  10.0.0.2:2295 -> 128.11.10.41:80 aliased to
           207.96.19.192:2295 -> 128.11.10.41:80
Out [TCP]  10.0.0.2:2295 -> 128.11.10.41:80 aliased to
           207.96.19.192:2295 -> 128.11.10.41:80
Out [TCP]  10.0.0.2:2291 -> 128.11.10.41:80 aliased to
           207.96.19.192:2291 -> 128.11.10.41:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2291 aliased to
           128.11.10.41:80 -> 10.0.0.2:2291
Out [TCP]  10.0.0.2:2295 -> 128.11.10.41:80 aliased to
           207.96.19.192:2295 -> 128.11.10.41:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2295 aliased to
           128.11.10.41:80 -> 10.0.0.2:2295

Here is an example for http://www.download.com:
# natd -n ppp0 -v
Out [TCP]  10.0.0.2:2295 -> 128.11.10.41:80 aliased to
           207.96.19.192:2295 -> 128.11.10.41:80
Out [TCP]  10.0.0.2:2288 -> 209.143.199.28:80 aliased to
           207.96.19.192:2288 -> 209.143.199.28:80
In  [TCP]  128.11.10.41:80 -> 207.96.19.192:2295 aliased to
           128.11.10.41:80 -> 10.0.0.2:2295
In  [TCP]  209.143.199.28:80 -> 207.96.19.192:2288 aliased to
           209.143.199.28:80 -> 10.0.0.2:2288
Out [UDP]  10.0.0.2 -> 207.172.3.16 aliased to
           207.96.19.192 -> 207.172.3.16
In  [UDP]  207.172.3.16 -> 207.96.19.192 aliased to
           207.172.3.16 -> 10.0.0.2
Out [TCP]  10.0.0.2:2296 -> 204.162.80.139:80 aliased to
           207.96.19.192:2296 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2296 aliased to
           204.162.80.139:80 -> 10.0.0.2:2296
Out [TCP]  10.0.0.2:2296 -> 204.162.80.139:80 aliased to
           207.96.19.192:2296 -> 204.162.80.139:80
Out [TCP]  10.0.0.2:2296 -> 204.162.80.139:80 aliased to
           207.96.19.192:2296 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2296 aliased to
           204.162.80.139:80 -> 10.0.0.2:2296
Out [TCP]  10.0.0.2:2296 -> 204.162.80.139:80 aliased to
           207.96.19.192:2296 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2296 aliased to
           204.162.80.139:80 -> 10.0.0.2:2296
Out [TCP]  10.0.0.2:2296 -> 204.162.80.139:80 aliased to
           207.96.19.192:2296 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2296 aliased to
           204.162.80.139:80 -> 10.0.0.2:2296
Out [TCP]  10.0.0.2:2296 -> 204.162.80.139:80 aliased to
           207.96.19.192:2296 -> 204.162.80.139:80
Out [TCP]  10.0.0.2:2297 -> 204.162.80.139:80 aliased to
           207.96.19.192:2297 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2297 aliased to
           204.162.80.139:80 -> 10.0.0.2:2297
Out [TCP]  10.0.0.2:2297 -> 204.162.80.139:80 aliased to
           207.96.19.192:2297 -> 204.162.80.139:80
Out [TCP]  10.0.0.2:2297 -> 204.162.80.139:80 aliased to
           207.96.19.192:2297 -> 204.162.80.139:80
Out [TCP]  10.0.0.2:2297 -> 204.162.80.139:80 aliased to
           207.96.19.192:2297 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2297 aliased to
           204.162.80.139:80 -> 10.0.0.2:2297
Out [TCP]  10.0.0.2:2297 -> 204.162.80.139:80 aliased to
           207.96.19.192:2297 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2297 aliased to
           204.162.80.139:80 -> 10.0.0.2:2297
Out [TCP]  10.0.0.2:2297 -> 204.162.80.139:80 aliased to
           207.96.19.192:2297 -> 204.162.80.139:80
In  [TCP]  204.162.80.139:80 -> 207.96.19.192:2297 aliased to
           204.162.80.139:80 -> 10.0.0.2:2297

Here is an example of a connection to ftp://mirrors.rcn.com with
tcp extensions OFF:
# natd -n ppp0 -v
Out [UDP]  10.0.0.2 -> 207.172.3.16 aliased to
           207.96.19.192 -> 207.172.3.16
In  [UDP]  207.172.3.16 -> 207.96.19.192 aliased to
           207.172.3.16 -> 10.0.0.2
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21
In  [TCP]  207.172.2.11:21 -> 207.96.19.192:2298 aliased to
           207.172.2.11:21 -> 10.0.0.2:2298
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21
In  [TCP]  207.172.2.11:21 -> 207.96.19.192:2298 aliased to
           207.172.2.11:21 -> 10.0.0.2:2298
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21
In  [TCP]  207.172.2.11:21 -> 207.96.19.192:2298 aliased to
           207.172.2.11:21 -> 10.0.0.2:2298
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21
In  [TCP]  207.172.2.11:21 -> 207.96.19.192:2298 aliased to
           207.172.2.11:21 -> 10.0.0.2:2298
Out [TCP]  10.0.0.2:2298 -> 207.172.2.11:21 aliased to
           207.96.19.192:2298 -> 207.172.2.11:21


Thanks in advance,
Austin Wood


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message