Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 08 Nov 2001 13:39:41 -0800
From:      Michael Loftis <mike@activemessage.com>
To:        cjclark@alum.mit.edu
Cc:        Michael Loftis <mloftis@wgops.com>, freebsd-net@FreeBSD.ORG
Subject:   Re: natd behaviour.
Message-ID:  <3BEAFB9D.87AB5EA8@activemessage.com>
References:  <3BEA89B3.B88C5048@wgops.com> <20011108123917.F51134@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help


"Crist J. Clark" wrote:

> On Thu, Nov 08, 2001 at 05:33:39AM -0800, Michael Loftis wrote:
> > I'm running natd and I need to change it's behaviour slightly.  it seems
> > that if it doesn't find a redirect_address match it'll drop connection
> > requests for that address, so putting it in a simplest-case divert from
> > any to any type of ipfw rulle severly breaks things.  What I need it to
> > do is pass those through unmodified.
> >
> > Can I get it to do this or am I going to have to get specific with my
> > ipfw rules?
>
> If I understand what you are saying, it should be doing this
> already. That is, natd(8) passes through anything it does not modify
> untouched. It does not drop (any normal) packets.

already established sesions transit fine, but new sessions (specifically what
I'm inerested in are new sessions to the local machine) to anything other than
the configured redirect_* stanzas get dropped.  ipfw is not the culprit, natd
in verbose mode makes note of the fact that it is dropping these packets.
ipfw is simply setup to redirect any packets going via the external interface
into the natd divert port.  natd has a default setup with the exception that
the dynamic flag is set and it's pointing ot hte same interface as in ipfw.
The machine running nat has to be able to accept connections on multiple
addresses so the behavior that is given by target_address is *not* workable as
I need to preserve the normal incoming IP.

BAsically the only problem I'm having is with setup (SYN set apparently)
packets sent through natd, if they don't match up witha  redirect rule they
get silently dropped.

Don't say thats not it's behavior, because that is precisely what it is doing.

my natd config is as follows...

unregistered_only
same_ports
dynamic
interface vlan5

redirect_address 192.168.0.2 64.71.178.211

the only active ipfw rule is as follows
add divert natd all from any to any via vlan5

Topology is simple, external on vlan5 interface (physically fxp0) and internal
on vlan0 interface (physically fxp1)  -- traffic transits fine the upstream
swithc fully supports vlans via 802.1Q  and I have not yet identified any
problems there (traffic passes to and from the host and itnerfaces just as
configured).  So the vlan ifaces are acting just like a normal ethernet dev.
It's natd thats being funkified.

> But if you are still having problems, you will need to be more
> specific about your natd(8) configuration, your ipfw(8) rules, your
> network topology, and what exactly is not working.
> --
> Crist J. Clark                     |     cjclark@alum.mit.edu
>                                    |     cjclark@jhu.edu
> http://people.freebsd.org/~cjc/    |     cjc@freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BEAFB9D.87AB5EA8>