From owner-freebsd-questions@FreeBSD.ORG Sat Mar 5 00:09:54 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C60916A4CE for ; Sat, 5 Mar 2005 00:09:54 +0000 (GMT) Received: from prosporo.hedron.org (hedron.org [66.11.182.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA00A43D5C for ; Sat, 5 Mar 2005 00:09:51 +0000 (GMT) (envelope-from ean@hedron.org) Received: from hedron.org (unknown [192.168.89.1]) by prosporo.hedron.org (Postfix) with ESMTP id A9AD8C12C; Fri, 4 Mar 2005 19:09:53 -0500 (EST) Date: Fri, 4 Mar 2005 19:08:59 -0500 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v553) To: "Florian Hengstberger" From: Ean Kingston In-Reply-To: Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.553) cc: FreeBSD mailinglist Subject: Re: natd, ipfw problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 00:09:54 -0000 It's been a while but I'll see if I can help out. On Friday, March 4, 2005, at 06:52 PM, Florian Hengstberger wrote: > Hi! > Tell me if I should post this otherwhere. > Given two network cards sis0 (external) and vr0 (internal) I'm trying > to give my girlfriend access to the web. Her ip is 192.168.0.2, > I've installed natd, a proper kernel and configured my firewall, > but so far only pings from her computer to the web works. > I guess there's something wrong with my firewall, because only > with the two standard entries (divert and allow all) everything > is fine. But now after hours of googling I can't find anything > which is wrong in my firewall. > > the /etc/natd.conf: > > interface sis0 > use_sockets yes > same_ports yes > redirect_port udp 192.168.0.2:53 53 > redirect_port tcp 192.168.0.2:53 53 > redirect_port tcp 192.168.0.2:80 80 > redirect_port tcp 192.168.0.2:443 443 > redirect_port udp 192.168.0.2:123 123 > redirect_port tcp 192.168.0.2:123 123 Unless you want her to run her own dns, web, and mail I don't think you need any of the redirect_port directives. Double-check to make sure that: - your firewall has routing enable - her computer has the proper gateway and dns servers set up > my firewall: > > add 00401 divert natd all from any to any via sis0 > add 00402 allow ip from any to any via vr0 > > ### TCP ### > add 00501 check-state > add 00502 deny tcp from any to any in established > add 00503 allow tcp from any to any out setup keep-state > # allow dns queries, dns-port=53 > add 00601 allow udp from any to any 53 keep-state via sis0 > # allow ntp queries, ntp-port=123 > add 00603 allow udp from any to any 123 keep-state via sis0 > # allow all outgoing udp traffic > add 00621 allow udp from any to any out via sis0 > > ### ICMP ### > # allow outgoing pings and the reply > add 00701 allow icmp from any to any out icmptypes 8 > add 00702 allow icmp from any to any in icmptypes 0 > # deny and log incoming pings from the outside > add 00703 deny log icmp from any to any in icmptypes 8 via sis0 > > ### SAMBA ### > # allow netbios services to local net, but log everything for debugging > purposes > add 00801 allow log tcp from any to any 137-139 via vr0 > add 00802 allow log udp from any to any 137-139 via vr0 > > Thanks a lot > Florian