From owner-freebsd-stable@FreeBSD.ORG Tue Mar 25 17:45:50 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E845737B408 for ; Tue, 25 Mar 2003 17:45:50 -0800 (PST) Received: from umh001.norfolk.va.infi.net (umr001.norfolk.va.infi.net [209.97.16.105]) by mx1.FreeBSD.org (Postfix) with SMTP id 629CC43F93 for ; Tue, 25 Mar 2003 17:45:47 -0800 (PST) (envelope-from scotrn@cox.net) Received: through eSafe SMTP Relay 1045752069; Tue Mar 25 20:36:16 2003 Received: from inf032 (ip68-10-94-65.rn.hr.cox.net [68.10.94.65]) h2Q1e8Fo001268 for ; Tue, 25 Mar 2003 20:40:09 -0500 (EST) From: "Scot" To: "FreeBSD Stable" Date: Tue, 25 Mar 2003 20:33:12 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <20030325092007.GB73657@sunbay.com> X-Spam-Status: No, hits=-28.3 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,MSGID_GOOD_EXCHANGE, ORIGINAL_MESSAGE,QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: RE: Natd stops working on Firewall X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 01:45:54 -0000 X-List-Received-Date: Wed, 26 Mar 2003 01:45:54 -0000 Thanks Ruslan ; I'll give it a try right now. Just want to send this out before I switch firewalls, assuming I might be down for an hour or so tweaking. oip and iip are static variables in rc.firewall but under DHCP oip is a moving target. Is there a recommended way to pass these to rc.firewall so a re-edit is not needed? Thanks Again Scot -----Original Message----- From: Ruslan Ermilov [mailto:ru@FreeBSD.ORG] Sent: Tuesday, March 25, 2003 4:20 AM To: Scot Cc: FreeBSD Stable; ipfw@FreeBSD.ORG Subject: Re: Natd stops working on Firewall On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote: > Hi; > > Just setup my FreeBSD 4.7 Firewall using the docs > outlined in the handbook. > What docs you have used to set up the firewall? > The install went on and > everything seems to be working fine then boom. > The system seems to stop routing traffic. No > messages in the security log or natd log as to why. > > I made sure it was logging by nmaping my box from the > outside. I even ran natd in the foreground and it still didn't > tell me what was going on. > > There is nothing in any logfile that tells me why this thing > just stops working so I'm thinking it may not be a daemon but > something in the kernel. > > I cannot ping the interface from the internal network but tcpdump shows > the packets being received. (Hub network firewall_type=SIMPLE ). > > If I logon to the console the cable modem connection is still functioning > and I can surf from the firewall. > > Any ideas on where to look next ?? > > > Cable modem using dhcp -> 192.168 home network on > PPro w/280 MB ram. > Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces. > Standard Xuser install + Kernel sources. > I've been through this just recently. Our "simple" prototype is not production ready; if you just tune oip/iip/onet/inet, etc., it won't allow your internal machines to talk outside. The packet flow for a machine in ${inet}:${imask} talking outside is as follows: ${inet}:${imask} -> some_host (in via ${iif}) ${oip} -> some_host (out via ${oif}) (after NAT) some_host -> ${inet}:${imask} (in via ${oif}) (after de-NAT) some_host -> ${inet}:${imask} (out via ${iif}) (This assumes that you NAT using ${oip}, which is not always the case.) So, to make it work (if default is to "deny"), you need to add the following rules at the end of the ruleset: ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif} ${fwcmd} add pass ip from ${oip} to any out via ${oif} ${fwcmd} add pass ip from any to ${inet}:${imask} Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age