From owner-cvs-all Fri Jul 2 13:58:38 1999 Delivered-To: cvs-all@freebsd.org Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (Postfix) with SMTP id 0E9C214E32 for ; Fri, 2 Jul 1999 13:58:33 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Received: (qmail 13014 invoked from network); 2 Jul 1999 20:58:31 -0000 Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1) by inet.chip-web.com with SMTP; 2 Jul 1999 20:58:31 -0000 Message-Id: <4.1.19990702134305.0096be20@mail-r> X-Sender: ludwigp@toy.chip-web.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 02 Jul 1999 13:58:37 -0700 To: Ruslan Ermilov From: Ludwig Pummer Subject: Re: cvs commit: src/sbin/natd natd.8 Cc: Brian Somers , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG In-Reply-To: <19990702151615.A29698@relay.ucb.crimea.ua> References: <4.1.19990701223654.0091eda0@mail-r> <199906210758.AAA59491@freefall.freebsd.org> <199906210758.AAA59491@freefall.freebsd.org> <19990701170841.A35816@relay.ucb.crimea.ua> <4.1.19990701223654.0091eda0@mail-r> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk At 05:16 AM 7/2/1999 , Ruslan Ermilov wrote: >> Let me restate what I originally said/meant to say: >> I have a machine doing natd. It has an internal network address >> 172.16.1.5/24 and an external network address of 24.2.21.36/24. If I do >> 'redirect_port tcp 172.16.1.30:80 80' and then try to point my web browser >> (from a machine in the 172.16.1.5/24 network) at http://24.2.21.36:80, it >> will not reach 172.16.1.30:80. If, however, I point my web browser (from a >> machine on the internet) at http://24.2.21.36:80, it _will_ reach >> 172.16.1.30:80. >> >Ah, I see now what did you mean, but you're wrong anyway. >It works(!) even in such configuration, look what I did: > >Host running natd: > >(internal interface 192.168.1.1/24) >fxp0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > >(external interface 212.110.138.1/28) >fxp2: flags=8843 mtu 1500 > inet 212.110.138.1 netmask 0xfffffff0 broadcast 212.110.138.15 > ># ipfw list 1 >00001 divert 6666 tcp from any to any 80 >00001 divert 6666 tcp from any 80 to any > >*** Note that there are no "via" keywords, otherwise it will not work. Bingo. I made my suggestion because if you set up natd according to the manpage, there is a 'via' keyword in the ipfw rule (and rc.firewall's natd rule also has 'via'). In those cases, "it will not work." I was concerned that newbies who set up natd "by the book" and then tested their configurations would be confused. Maybe I should point out that the natd manpage I'm looking at is from 15 April 1997. uname -a: toy.chip-web.com 3.1-STABLE FreeBSD 3.1-STABLE #0: Thu Mar 4 18:28:40 PST 1999 root@toy.chip-web.com:/usr/src/sys/compile/TOY i386 >> I felt that despite this being logical according to routing and the way the >> ipfw rule is written**, this was worth pointing out. Otherwise, many >> newbies setting up natd for the first time would do something very similar >> to my example above, and become disappointed/discouraged/confused when they >> can't connect to http://24.2.21.36:80 from their inside machine. I came to >> this conclusion after helping someone with natd over ICQ, and then >> recalling that I had similar problems when I was first playing with natd. >> >I hope you're ready to do it now! Well, yeah. I've had natd set up and running over a year and a half now, first with usermode ppp and then with 2.2.5-R's natd. ... (snipped inport, outport, aliasing explanation) ... >One important thing that should be taken into the account is the ipfw's >configuration. You should make sure to configure it properly, I think >you understood this from my example. Yes, I understand your point. Let me just say again that if ipfw is configured according to the natd manpage, then you will have the issue I first pointed out. That's why I felt adding this little "gotcha" to the manpage was worth it. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message