Date: Wed, 25 Jul 2001 08:44:04 +0100 From: mikescott@clara.net To: freebsd-questions@FreeBSD.ORG Subject: problems mixing ipfw, nat and ppp Message-ID: <3B5E86D4.3499.73FB5A@localhost>
next in thread | raw e-mail | index | archive | help
I think I must be missing something incredibly obvious on this one -- if anyone can spot it, I'd be very grateful! It looks to me as though natd's address translation is inconsistent between inbound and outbound traffic, causing problems with dynamic rules in the firewall. I'm using FreeBSD 4.3-stable as a dial-up gateway machine for a small lan with some windows machines on it. The machine runs ppp (user mode), plus natd and ipfw. (I know I could use ppp's internal nat code; but I've half an eye on moving to cable modem and would like to get the firewall sorted now, also I want to learn about this anyway.) natd is running with switches -dynamic and -t 192.168.0.254. ppp is running with just -auto, and its config file doesn't enable aliasing. The gateway machine has local address 192.168.0.1, external address variable of course, but of the form 213.x.x.x. For testing purposes, from windows m/c 192.168.0.2, I run "telnet 195.8.69.79 119", and wait for the news-server response With the following ipfw config fragment, culled from various sources, # divert packets through the tunnel interface $fwcmd add divert natd all from any to any via tun0 ... # allow anything I start up (THIS FAILS!) # allow connections to continue once made $fwcmd add check-state $fwcmd add deny log tcp from any to any established $fwcmd add allow log tcp from any to any out via tun0 setup keep- state I get the following typical failures happening (please excuse awkward line-wrapping) data# ipfw zero Accounting cleared. (Check counts are indeed zero, no dynamic rules in place. Then try telnet session) data# ipfw show 00100 15 882 divert 8668 ip from any to any via tun0 00200 0 0 allow ip from any to any via lo0 00300 405 102963 allow ip from any to any via ed0 00400 0 0 unreach port log logamount 100 tcp from any to any 113 in recv tun0 00500 0 0 check-state 00600 8 344 deny log logamount 100 tcp from any to any established 00700 4 192 allow log logamount 100 tcp from any to any keep- state out xmit tun0 setup 00800 1 210 allow udp from any 53 to any in recv tun0 00900 1 60 allow udp from any to any 53 out xmit tun0 01000 1 76 allow udp from any 123 to any 123 via tun0 65435 0 0 allow icmp from any to any 65435 0 0 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules: 00700 3 144 (T 5, # 86) ty 0 tcp, 213.104.70.121 1041 <-> 195.8.69.73 119 (Note that dynamic rule shows the external IP address, where I would have expected the internal address). The security log contains: Jul 25 08:26:00 data /kernel: ipfw: Accounting cleared. Jul 25 08:26:39 data /kernel: ipfw: 700 Accept TCP 213.104.70.121:1041 195.8.69.73:119 out via tun0 ( ^^^^ Note the external address) Jul 25 08:26:39 data /kernel: ipfw: 600 Deny TCP 195.8.69.73:119 192.168.0.2:1041 in via tun0 ( ^^^^ Note the Internal address) Jul 25 08:26:39 data /kernel: ipfw: 700 Accept TCP 213.104.70.121:1041 195.8.69.73:119 out via tun0 Jul 25 08:26:39 data /kernel: ipfw: 600 Deny TCP 195.8.69.73:119 192.168.0.2:1041 in via tun0 (and so on...) The connection of course hangs. It looks as thought the firewall takes note of the natted address for inbound traffic, but the dial-up address outbound, so the dynamic rule won't work. I hope I'm missing something obvious, and would be very grateful for any pointers. Thanks in advance! -- various incoming sites blocked because of spam: see www.mikescott.clara.net for a list mikescott@clara.net Mike Scott aka mikeascott@ntlworld.com Harlow Essex England To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B5E86D4.3499.73FB5A>