From owner-freebsd-questions Mon Apr 3 8:15:40 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 6CFAC37BF08 for ; Mon, 3 Apr 2000 08:15:34 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id LAA34948; Mon, 3 Apr 2000 11:11:04 -0400 (EDT) (envelope-from cjc) Date: Mon, 3 Apr 2000 11:11:03 -0400 From: "Crist J. Clark" To: Brendan Kosowski Cc: cjclark@home.com, FreeBSD Questions Subject: Re: natd problem Message-ID: <20000403111103.A34901@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000402224237.B33106@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from brendan@bmk.com.au on Mon, Apr 03, 2000 at 03:09:05PM +1000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Apr 03, 2000 at 03:09:05PM +1000, Brendan Kosowski wrote: > On Sun, 2 Apr 2000, Crist J. Clark wrote: > > On Mon, Apr 03, 2000 at 11:11:58AM +1000, Brendan Kosowski wrote: > > > > > > > > > I am running a NAT using natd and the standard OPEN firewall setting. > > > > > > The NAT has 2 ethernet cards, one to a PUBLIC ETHERNET and the other to > > > our LOCAL ETHERNET (192.168.etc...) > > > > > > The natd has been setup with the "-redirect_port" option so that a certain > > > port on the NAT PUBLIC INTERFACE gets redirected to a server on our LOCAL > > > ETHERNET therefore giving our server a PUBLIC ADDRESS/PORT. > > > > > > The problem occurs when a P.C. on the LOCAL ETHERNET tries to access the > > > SERVER on the LOCAL ETHERNET by way of its PUBLIC ADDRESS/PORT. The NAT > > > seems to deny packets. > > > > > > It is absolutely necessary that I can get natd to do this. Accessing the > > > SERVER via it's local address in an unacceptable solution. > > > > > > Can ANYONE help ??? > > > > YES, we PROBABLY can, but first TELL me why you LIKE to CAPITALIZE > > every OTHER word? > > > > Why do you say that the NAT server seems to deny the packets? Could we > > see the ifconfig(8) for the interfaces, the natd(8) command line and > > config file (if it exists), and your firewall rules (`ipfw show`)? > > -- > > Crist J. Clark cjclark@home.com > > > > I have used CAPITALS to emphasize important information like SERVERS, > INTERFACES, ADDRESSES and PORTS. Sorry if this appears as arrogant or is > difficult to read. > > I am reluctant to give information containing IP addresses as we have > found that giving too much info to mailing lists can result in hacker > attacks later. I will do my best to give you as much info as possible. Understandable. > NAT interfaces: > > ed1 connects to our Public Ethernet. > ed2 (192.168.5.5) connects to our Local Ethernet (192.168.5.0/24) > > Firwall rules follow: > > divert 8668 ip from any to any via ed1 > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > allow ip from any to any > deny ip from any to any > > Natd command line follows: > > natd -n ed1 -redirect_port tcp 192.168.5.253:80 80 > > There is no natd config file with extra options. > > As can be seen, our web server (192.168.5.253) is behind the NAT on the > local network. > > I suspect that the nat is denying packets for the following reasons: > > a.) P.C.'s on the Internet can access our Web Server via port 80 on the > NAT public interface (ed1). > > b.) P.C's on our local network can access the Internet. > > c.) P.C's on our local network can not access the Web Server via port 80 > on the NAT public interface (ed1). > > Reason c.) above is the problem. > Hope that makes it clearer. I think the problem is that the packets never find their way to natd, not that natd is denying them. A packet comes in to ed2 destined for public_ip:80. The TCP/IP stack immediately recognizes that this packet is bound for this machine and the packet will not get sent through ed1. Thus, it never gets to natd, never gets redirected. A not particularly pretty workaround (but I think it will do it without breaking anything) is to add a rule, divert natd ip from 192.168.5.0/24 to public_ip 80 via ed2 There might be more proper and elegant ways to do this. Maybe another -questions reader knows of such a method. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message