From owner-freebsd-questions Sun Jul 30 13:57:40 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id F20C237B67F for ; Sun, 30 Jul 2000 13:57:21 -0700 (PDT) (envelope-from cjc@184.215.6.64.reflexcom.com) Received: from 184.215.6.64.reflexcom.com ([64.6.215.184]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 30 Jul 2000 13:56:22 -0700 Received: (from cjc@localhost) by 184.215.6.64.reflexcom.com (8.9.3/8.9.3) id NAA25527; Sun, 30 Jul 2000 13:57:19 -0700 (PDT) (envelope-from cjc) Date: Sun, 30 Jul 2000 12:19:13 -0700 From: "Crist J. Clark" To: Konan Houphoue Cc: freebsd-questions@FreeBSD.ORG, steve@zpfe.com Subject: Re: IPFW and NAT question Message-ID: <20000730121913.J7953@cjc-desktop.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from bahobab@hotmail.com on Sun, Jul 30, 2000 at 12:24:34PM -0500 Status: RO Lines: 66 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [This mail was resent due to delivery problems. If you have received it twice, please ignore. Sorry for any inconvenience.] On Sun, Jul 30, 2000 at 12:24:34PM -0500, Konan Houphoue wrote: > Hi, > > I have configured my FreeBSD 4.0 Pentium 233Mhz based PC as a firewall to > the Internet using a DSL connection. > > I use a public IP (207.208.254.234) gateway (207.208.254.1). > > >From this machine I can access the Internet. However the machines on my > private network cannot. > > My public interface is fxp0 (intel Ether Express Pro 10/100 B), and my > private interface is xl0 (3Com 3c905B-TX Fast EtherLink XL) using > 192.168.1.2 > > Any hots on the private segment 192.168.1 can successfully ping the public > interface fxp0. > > The problem is that I cannot rich anything beyond fxp0, not even the IP > address of the gateway on the ISP that is on the same segment as fxp0. For > example a traceroute hug.freebsd.org fails. > > I have configured all the necessary files for IPFW ant natd and rebuilt the > kernel successfully. > > I read in natd man pages that there is a -dynamic option to use, but I did > not see it in the configuration walkthrough in the Handbook. > Where else should I look?8 > Can someone please help? It would help if you showed us all of the configurations you did to the necessary files. The necessary files being rc.conf, the firewall script, and the natd config file if used. The '-dynamic' flag probably has nothing to do with this problem. The description of your problem brings a few things to mind: 1) Is forwarding enabled? In rc.conf, gateway_enable="YES" Or on the running system, # sysctl -w net.inet.ip.forwarding=1 2) Is natd(8) actually running? Try, # ps x | grep natd (Check, you'd be surprised how often that is the problem.) 3) Do you have the divert rule in your firewall working properly? Look at, # ipfw show And make sure the rules and numbers make sense. 4) Are you actually blocking yourself somewhere in the firewall? This is not likely since the gateway itself would probably not be reachable if you were. If none of those help, try sending your configuration to the list. HTH. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message