Date: Sat, 8 May 1999 17:11:09 -0400 (EDT) From: Mike Newell <mnewell@newell.arlington.va.us> To: questions@freebsd.org Subject: NATD problem Message-ID: <Pine.BSF.3.96.990508165209.19035A-100000@bigpuppy.newell.arlington.va.us>
next in thread | raw e-mail | index | archive | help
I have an odd problem with NATD on FreeBSD 3.1-RELEASE. I have a box with
3 Ethernet cards:
xl0 = xxx.xxx.xxx.xxx 255.255.0.0
fxp0 = 192.168.100.1 255.255.255.0
ed0 = yyy.yyy.yyy.yyy 255.255.255.240
Interface xl0 is a 10Mbps Ethernet with a single IP address assigned to it
(that is, no aliases) connected to the target ISP. Interface fxp0 is a
100Mbps Ethernet with an RFC1918 address attached. Interface ed0 is a
10Mbps Ethernet with a routable IP address attached to another ISP; I use
this temporarily as a "back door" into the net until I can get the
firewall and natting correct.
I want to NAT things on fxp0 through xl0. I installed the four directives
as specified in the kernel and rebuilt; the directives in the kernel are
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPDIVERT
options IPFIREWALL_FORWARD
The kernel builds fine and installs. Per the instructions for natd I
also enabled gatewaying in the kernel (via the sysctl command).
The firewall rule set does:
# $Id$
# Block all RFC1918 addresses (and weird ones) coming from the
# provider. Block RIP too; we don't want to advertise bogus
# information out.
add deny all from 192.168.0.0:0xffff0000 to any in via xl0
add deny all from 172.16.0.0:0xffff0000 to any in via xl0
add deny all from 10.0.0.0:0xff000000 to any in via xl0
add deny all from 127.0.0.0:0xff000000 to any in via xl0
add deny udp from any 520 to any 520 via xl0
# We use 192.168.100.0 in our network, but we don't want it talking
# out except through NAT.
add deny all from 192.168.100.0:0xffffff00 to any out via xl0
# NAT the rest and for the time being allow anything else.
add divert natd log all from any to any via fxp0
add allow ip from any to any
Basically all I'm doing is protecting against spoofing and blocking
RFC1918 addresses from going out interface xl0. The firewall log records
packets being diverted as you'd expect.
When I run the command "natd -interface xl0 -verbose" I get a log that
looks like:
In [TCP] 192.168.100.40:1079 -> 207.46.176.11:80 aliased to
192.168.100.40:1079 -> 207.46.176.11:80
In [TCP] 192.168.100.40:1079 -> 207.46.176.11:80 aliased to
192.168.100.40:1079 -> 207.46.176.11:80
In [TCP] 192.168.100.40:1079 -> 207.46.176.11:80 aliased to
192.168.100.40:1079 -> 207.46.176.11:80
In [TCP] 192.168.100.40:1079 -> 207.46.176.11:80 aliased to
192.168.100.40:1079 -> 207.46.176.11:80
Now this is wierd - apparently natd is converting the address
192.160.100.40 to itself! Just for grins I tried to force the issue by
using the command "natd -alias_address xxx.xxx.xxx.xxx" but I get the
exact same results.
Any ideas? I searched the mail archives and did find someone else having
trouble, but didn't see any replies that fixed his problem.
Much obliged,
Mike
+--------------------------------------+------------------------------------+
| Mike Newell | The opinions expressed herein |
| Affiliation: | are mine. You can take them or |
| Address: | leave them. Flames to /dev/null. |
+--------------------------------------+------------------------------------+
| Mike@Newell.arlington.va.us | http://www.newell.arlington.va.us |
+--------------------------------------+------------------------------------+
| "Peace. It's wonderful!" Father Divine. |
+---------------------------------------------------------------------------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990508165209.19035A-100000>