Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Jan 2003 01:25:56 -0800 (PST)
From:      Doug Barton <DougB@FreeBSD.org>
To:        freebsd-stable@FreeBSD.org
Subject:   ipfw/natd problem with tonight's releng_4
Message-ID:  <20030129010515.C1559@12-234-22-23.pyvrag.nggov.pbz>
next in thread | raw e-mail | index | archive | help 
I'm not ready to push the big red button yet, but I definitely had a
problem with natd tonight on my -stable firewall box. I've had ipfw and
natd running on this box for years... so I'm sure it's not my
configuration. My last set of sources was from november 10. I did recently
change from having ipfw in the kernel config to loading it in a module
(since I'm currently experimenting with ipfilter too). However, the nov.
10 sources worked fine with ipfw loaded as a module. I had to twiddle
/sys/modules/ipfw/Makefile first to add the divert stuff, etc:

more /sys/modules/ipfw/Makefile
# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter
Exp $

.PATH:  ${.CURDIR}/../../netinet
KMOD=   ipfw
SRCS=   ip_fw.c
NOMAN=
CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
CFLAGS+= -DIPFIREWALL_VERBOSE
CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=10000
#
#If you want it to pass all packets by default
CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT -DIPFIREWALL_FORWARD -DIPDIVERT
#

.include <bsd.kmod.mk>

I'm sure that this is ok, since when I kldload this module, I get the
following:

/kernel: IP packet filtering initialized, divert enabled, rule-based
forwarding enabled, default to accept, logging limited to 10000
packets/entry by default

All of my other rules work, and natd starts without errors. However, as
soon as I load the natd rule in ipfw, no packets can leave the box.

The good news is that ipnat works just fine, so at least I'm functional.
But I thought that the ipfw folks would want to know about this....
hopefully one of the recent updates to ipfw will suggest itself as a
candidate for this problem.

Doug

-- 

    If it's moving, encrypt it. If it's not moving, encrypt
      it till it moves, then encrypt it some more.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030129010515.C1559>