From owner-freebsd-ipfw Sun Oct 14 1:22:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id EF01737B408 for ; Sun, 14 Oct 2001 01:22:35 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.139.8.Dial1.SanJose1.Level3.net [209.247.139.8]) by pintail.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA29725 for ; Sun, 14 Oct 2001 01:22:34 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9E8MNj00972 for freebsd-ipfw@freebsd.org; Sun, 14 Oct 2001 01:22:23 -0700 (PDT) (envelope-from cjc) Date: Sun, 14 Oct 2001 01:22:22 -0700 From: "Crist J. Clark" To: freebsd-ipfw@freebsd.org Subject: ipfw(8) Verbosity Enhancement Patches Message-ID: <20011014012222.D321@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've posted some patches for increasing the logging capabilities for ipfw(8) in the past. I made some simplifications to the patches and have put copies, for both 4.4-STABLE and 5.0-CURRENT, at, http://people.freebsd.org/~cjc/ I think I will aim at committing these. Any opinions welcome. And if you try the patches, please let me know about problems or successes. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 16 3: 2:48 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mmu.edu.my (ext-dns.mmu.edu.my [203.106.62.11]) by hub.freebsd.org (Postfix) with ESMTP id EFEFF37B40B for ; Tue, 16 Oct 2001 03:02:36 -0700 (PDT) Received: from venus.cyber.mmu.edu.my (venus.cyber.mmu.edu.my [203.106.62.12]) by mmu.edu.my (8.9.1b+Sun/8.9.1) with ESMTP id RAA03123; Tue, 16 Oct 2001 17:58:21 +0800 (MYT) Received: from there (hb2c-20.cyber.mmu.edu.my [10.100.99.40]) by venus.cyber.mmu.edu.my (8.8.8+Sun/8.8.8) with SMTP id RAA11981; Tue, 16 Oct 2001 17:58:12 +0800 (SGT) Message-Id: <200110160958.RAA11981@venus.cyber.mmu.edu.my> Content-Type: text/plain; charset="iso-8859-1" From: nuzrin yaapar Reply-To: nuzrin@yahoo.com Organization: multimedia university To: cjclark@alum.mit.edu, "Crist J. Clark" , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw(8) Verbosity Enhancement Patches Date: Tue, 16 Oct 2001 18:13:02 +0800 X-Mailer: KMail [version 1.3.1] References: <20011014012222.D321@blossom.cjclark.org> In-Reply-To: <20011014012222.D321@blossom.cjclark.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sunday 14 October 2001 4:22 pm, Crist J. Clark wrote: > I've posted some patches for increasing the logging capabilities for > ipfw(8) in the past. I made some simplifications to the patches and > have put copies, for both 4.4-STABLE and 5.0-CURRENT, at, > > http://people.freebsd.org/~cjc/ > > I think I will aim at committing these. Any opinions welcome. And if > you try the patches, please let me know about problems or successes. I've tested it, and it seems good. It'll be good if it gets committed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 18 18:59:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (oe33.pav2.hotmail.com [64.4.36.90]) by hub.freebsd.org (Postfix) with ESMTP id D2D7C37B407 for ; Thu, 18 Oct 2001 18:59:26 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 18 Oct 2001 18:59:26 -0700 X-Originating-IP: [66.92.168.17] From: "Mike Semcheski" To: Subject: ipfw and nat setup Date: Tue, 18 Dec 2001 21:58:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 19 Oct 2001 01:59:26.0752 (UTC) FILETIME=[AE8A9200:01C15841] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I am sure this is a question that comes up a lot, but I have not been able to find the answer, so I am posting to this mailing list. I originally posted to newbies, but since there does not seem to be much signal or noise on this one, I thought I would give it a try. Here's my situation: Right now, I have a FreeBSD 4.2 box with two NIC's. fxp0 is hooked up via crossover to a Win2k box. tl0 is hooked up (via a long cat-5) to my DSL router. I have a static IP (go Speakeasy!). I am running among other things, ipfw, natd and named. The Win2k's primary DNS is the FreeBSD box. Win2k can resolve names with no problem, and can also ping tl0 with no problem. The FreeBSD box is on the network, and can reach the outside world. The Win2k box can resolve a name but can not access it. To me, either natd is not aliasing this connection correctly or ipfw is blocking its connections. I have tried a lot of different rules for ipfw, I have not put a lot into setting up natd (other than natd_enable="yes" natd_interface="fxp0" and natd_flags="-log -dynamic". I use firewall_type="open". I have net.inet.ip.fw.verbose=1, and firewall_logging="yes". For what all that is worth, I was wondering if anyone had some rules or other configs that might get this to work. My eventual goal is to get a similar setup working at work and somehow add a rule to IPSec all the connections between work and home, but first things first, I need to get ipfw and natd working at home. If someone has a similar setup and rules that work, I would love to see them, or if there are any points I am not aware of, I would love to see them. I have tried a lot of different combinations, read lots of pages from the web, and lots of man pages, and I just can not get this working. Anyone able to help me? Thanks, Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 18 19: 5:32 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 0EC1D37B403 for ; Thu, 18 Oct 2001 19:05:29 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f9J25MU62180; Thu, 18 Oct 2001 21:05:22 -0500 (CDT) (envelope-from nick@rogness.net) Date: Thu, 18 Oct 2001 21:05:22 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Mike Semcheski Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and nat setup In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 18 Dec 2001, Mike Semcheski wrote: [snip] > > Here's my situation: Right now, I have a FreeBSD 4.2 box with two > NIC's. fxp0 is hooked up via crossover to a Win2k box. tl0 is hooked > up (via a long cat-5) to my DSL router. I have a static IP (go > Speakeasy!). I am running among other things, ipfw, natd and named. > The Win2k's primary DNS is the FreeBSD box. Win2k can resolve names > with no problem, and can also ping tl0 with no problem. The FreeBSD > box is on the network, and can reach the outside world. The Win2k box > can resolve a name but can not access it. To me, either natd is not > aliasing this connection correctly or ipfw is blocking its > connections. I have tried a lot of different rules for ipfw, I have > not put a lot into setting up natd (other than natd_enable="yes" > natd_interface="fxp0" and natd_flags="-log -dynamic". I use > firewall_type="open". I have net.inet.ip.fw.verbose=1, and > firewall_logging="yes". In /etc/rc.conf you should have: gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="tl0" It looks as if you are running natd on the wrong interface...it should be the outside interface tl0, NOT fxp0. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 18 19:47:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (oe65.pav2.hotmail.com [64.4.36.199]) by hub.freebsd.org (Postfix) with ESMTP id 1385737B405 for ; Thu, 18 Oct 2001 19:47:16 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 18 Oct 2001 19:47:16 -0700 X-Originating-IP: [66.92.168.17] From: "Mike Semcheski" To: References: Subject: Re: ipfw and nat setup Date: Tue, 18 Dec 2001 22:46:39 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 19 Oct 2001 02:47:16.0024 (UTC) FILETIME=[5CC2BB80:01C15848] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Many thanks, as well to Mikel and Patrick. My original line of thinking was that since fxp0 was the interface that was dealing with the LAN, it would be the interface for natd. In hindsight, it makes sense that tl0 is the one that actually does the masquerading. I was sure I had tried it, but I guess not. Success is still sweet. Mike ----- Original Message ----- From: "Nick Rogness" To: "Mike Semcheski" Cc: Sent: Thursday, October 18, 2001 9:05 PM Subject: Re: ipfw and nat setup > On Tue, 18 Dec 2001, Mike Semcheski wrote: > > [snip] > > > > Here's my situation: Right now, I have a FreeBSD 4.2 box with two > > NIC's. fxp0 is hooked up via crossover to a Win2k box. tl0 is hooked > > up (via a long cat-5) to my DSL router. I have a static IP (go > > Speakeasy!). I am running among other things, ipfw, natd and named. > > The Win2k's primary DNS is the FreeBSD box. Win2k can resolve names > > with no problem, and can also ping tl0 with no problem. The FreeBSD > > box is on the network, and can reach the outside world. The Win2k box > > can resolve a name but can not access it. To me, either natd is not > > aliasing this connection correctly or ipfw is blocking its > > connections. I have tried a lot of different rules for ipfw, I have > > not put a lot into setting up natd (other than natd_enable="yes" > > natd_interface="fxp0" and natd_flags="-log -dynamic". I use > > firewall_type="open". I have net.inet.ip.fw.verbose=1, and > > firewall_logging="yes". > > In /etc/rc.conf you should have: > > gateway_enable="YES" > firewall_enable="YES" > firewall_type="OPEN" > natd_enable="YES" > natd_interface="tl0" > > It looks as if you are running natd on the wrong interface...it should be > the outside interface tl0, NOT fxp0. > > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message