Date: Mon, 3 Apr 2000 11:11:03 -0400 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Brendan Kosowski <brendan@bmk.com.au> Cc: cjclark@home.com, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: natd problem Message-ID: <20000403111103.A34901@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <Pine.BSF.3.96.1000403132841.403A-100000@garfield>; from brendan@bmk.com.au on Mon, Apr 03, 2000 at 03:09:05PM %2B1000 References: <20000402224237.B33106@cc942873-a.ewndsr1.nj.home.com> <Pine.BSF.3.96.1000403132841.403A-100000@garfield>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 03, 2000 at 03:09:05PM +1000, Brendan Kosowski wrote: > On Sun, 2 Apr 2000, Crist J. Clark wrote: > > On Mon, Apr 03, 2000 at 11:11:58AM +1000, Brendan Kosowski wrote: > > > > > > > > > I am running a NAT using natd and the standard OPEN firewall setting. > > > > > > The NAT has 2 ethernet cards, one to a PUBLIC ETHERNET and the other to > > > our LOCAL ETHERNET (192.168.etc...) > > > > > > The natd has been setup with the "-redirect_port" option so that a certain > > > port on the NAT PUBLIC INTERFACE gets redirected to a server on our LOCAL > > > ETHERNET therefore giving our server a PUBLIC ADDRESS/PORT. > > > > > > The problem occurs when a P.C. on the LOCAL ETHERNET tries to access the > > > SERVER on the LOCAL ETHERNET by way of its PUBLIC ADDRESS/PORT. The NAT > > > seems to deny packets. > > > > > > It is absolutely necessary that I can get natd to do this. Accessing the > > > SERVER via it's local address in an unacceptable solution. > > > > > > Can ANYONE help ??? > > > > YES, we PROBABLY can, but first TELL me why you LIKE to CAPITALIZE > > every OTHER word? > > > > Why do you say that the NAT server seems to deny the packets? Could we > > see the ifconfig(8) for the interfaces, the natd(8) command line and > > config file (if it exists), and your firewall rules (`ipfw show`)? > > -- > > Crist J. Clark cjclark@home.com > > > > I have used CAPITALS to emphasize important information like SERVERS, > INTERFACES, ADDRESSES and PORTS. Sorry if this appears as arrogant or is > difficult to read. > > I am reluctant to give information containing IP addresses as we have > found that giving too much info to mailing lists can result in hacker > attacks later. I will do my best to give you as much info as possible. Understandable. > NAT interfaces: > > ed1 connects to our Public Ethernet. > ed2 (192.168.5.5) connects to our Local Ethernet (192.168.5.0/24) > > Firwall rules follow: > > divert 8668 ip from any to any via ed1 > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > allow ip from any to any > deny ip from any to any > > Natd command line follows: > > natd -n ed1 -redirect_port tcp 192.168.5.253:80 80 > > There is no natd config file with extra options. > > As can be seen, our web server (192.168.5.253) is behind the NAT on the > local network. > > I suspect that the nat is denying packets for the following reasons: > > a.) P.C.'s on the Internet can access our Web Server via port 80 on the > NAT public interface (ed1). > > b.) P.C's on our local network can access the Internet. > > c.) P.C's on our local network can not access the Web Server via port 80 > on the NAT public interface (ed1). > > Reason c.) above is the problem. > Hope that makes it clearer. I think the problem is that the packets never find their way to natd, not that natd is denying them. A packet comes in to ed2 destined for public_ip:80. The TCP/IP stack immediately recognizes that this packet is bound for this machine and the packet will not get sent through ed1. Thus, it never gets to natd, never gets redirected. A not particularly pretty workaround (but I think it will do it without breaking anything) is to add a rule, divert natd ip from 192.168.5.0/24 to public_ip 80 via ed2 There might be more proper and elegant ways to do this. Maybe another -questions reader knows of such a method. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000403111103.A34901>