Date: Fri, 13 Jul 2001 12:28:44 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Mike Hoskins <mike@adept.org> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: $diety, I hate natd. Message-ID: <200107131928.f6DJSi868492@earth.backplane.com> References: <Pine.BSF.4.21.0107122019001.4264-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:On Thu, 12 Jul 2001, Matt Dillon wrote:
:
:> My new 'firewall' manual page has an ipfw example of a natd setup.
:> It might help. You need a relatively recent -stable to have the
:> man page.
:
:I see the page... Thanks, btw. However, it still seems fubar. Like I
:said before, natd's configuration looks simple enough, but packets aren't
:getting through. If I add an ipfw rule to just allow traffic to the
:outside port (8080), I see incoming packets hitting the rule... but no
:connection (no real fowarding to the internal ip:port). If I run a
:sniffer on the outside interface, I see connection attempts to
:8080... run the same sniffer on the internal interface, nothing.
:
:My first thought was 'duh, the packets have to get to natd somehow so
:redirect_port can actually do something...' but changing the 8080 allow to
:a divert doesn't fix the problem. So next I figured one piece of the
:conversation was dying... somewhere... I.e. inbound's fine but I'm
:fscking something up outbound... but no denied packets in logs.
:
:It certainly seems like natd's working and ipfw just isn't allowing
:...
Judicious use of ktrace on the natd process coupled with tcpdump on
various interfaces might shed some light on your problem. You should
at least be able to determine whether natd is getting the packets and
perhaps even tell where the packets are being crunched.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107131928.f6DJSi868492>