Date: Tue, 25 Sep 2001 18:33:17 -0500 (CDT) From: Bradley Oedithipus <bradley@lightstep.org> To: Nick Rogness <nick@rogness.net> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: natd/ipfw/sshd problem. Message-ID: <Pine.BSF.4.32.0109251830230.2320-100000@lightstep.org> In-Reply-To: <Pine.BSF.4.21.0109251801110.43016-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 25 Sep 2001, Bradley Oedithipus wrote: > > > > > > > First of all, i run natd for my subnet, ipfw which restricts access to > > various ports, and sshd on port 22. > > > > Okay, on with the evidence. > > > > First of all. my firewall sets up the divert rule to coincide with > > natd to divert packets. Here is the rule (quite standard for natd use) > > 00050 divert 8668 ip from any to any via ed0 (ed0 being my external > > NIC) > > > > Now, when rule 50 is in effect, you cannot connect to my server via > > ssh from outside my network, but you CAN connect via ssh from the > > local server and the subnet. When i delete rule 50 (ipfw delete 50): > > ssh is available from inside the network, and from the internet. > > > > I have pinned it down to this rule, by flushing ALL rules (since my > > default is deny, I add allow ip from any to any) and then trying, and > > it works. Then I add the divert rule, and it doesnt work. > > Your firewall is blocking you...or you are redirecting ports > incorrectly. > > What does `ipfw -a l` show? > > What options do you have to natd? > > Is natd even running? Can you get to the outside (surf, ftp, > ping) from the inside? > > > Nick Rogness <nick@rogness.net> > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > lightstep:~ # ipfw -a l 00050 1933 595146 divert 8668 ip from any to any via ed0 00100 19894 995402 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00250 108 6213 allow tcp from 10.0.0.0/8 to 66.100.232.202 143 00300 23 1260 unreach host tcp from any to 66.100.232.202 143 00500 17 972 unreach host tcp from any to 66.100.232.202 139 65000 40851 7434737 allow ip from any to any 65535 27 1801 deny ip from any to any lightstep:~ # I have no options passed to natd Yes, natd is running. Yes, I can access everything from the inside to the outside regardless of the ipfw rules (must be open tho) BUT, in order to access the outside from the subnet (not the server) the divert rule shown above MUST be in place exactly as it is. That is why i dont think that i am blocking ports. If i was blocking port 22, nmap (from a remote machine) would at least show that port 22 was being filtered. But it doesnt, it doesnt show it at all. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0109251830230.2320-100000>