Date: Wed, 19 Sep 2001 14:22:16 -0700 (PDT) From: Dylan Carlson <damage_z@yahoo.com> To: freebsd-questions@freebsd.org Subject: natd issues... Message-ID: <20010919212216.18508.qmail@web10402.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'll throw in $20 or so via PayPal for anyone who takes the time to help me
with this. I'm feeling dense today and it's probably something simple. I have
a new box on 4.4-RC3 set to be a simple firewall doing NAT on a /26 netblock.
The kernel has been rebuilt with IPFIREWALL and DIVERT, etc.
* I want it to statically translate everything I have defined in /etc/natd.cf
(see below)
* I want it to hide all other internal addresses out the external interface IP.
Everything to the outside world works from the firewall, but anything inside
the network can't translate out, and I can't get incoming connections in. natd
doesn't report any problems in the logs, or when I run it in verbose mode.
Basically, the one service I want to have open at this point is ssh. The rule
is there, but natd isn’t working.
Configs are below.
TIA,
----- /etc/rc.conf
defaultrouter="65.55.55.65"
hostname="skylab"
ifconfig_fxp0="inet 192.168.100.1 netmask 255.255.255.0"
ifconfig_fxp1="inet 65.55.55.66 netmask 255.255.255.192"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
sshd_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="/etc/fw.conf"
natd_enable="YES"
natd_interface="fxp1"
natd_flags="-f /etc/natd.cf"
------- /etc/natd.cf
port 8668
interface fxp1
log yes
log_denied yes
redirect_address 192.168.100.5 65.55.55.67
redirect_address 192.168.100.20 65.55.55.69
redirect_address 192.168.100.21 65.55.55.71
redirect_address 192.168.100.25 65.55.55.73
redirect_address 192.168.100.30 65.55.55.68
redirect_address 192.168.100.35 65.55.55.72
redirect_address 192.168.100.40 65.55.55.74
redirect_address 192.168.100.42 65.55.55.70
------- /etc/fw.conf
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
oif="fxp1"
onet="65.55.55.0"
omask="255.255.255.192"
oip="65.55.55.66"
iif="fxp0"
inet="192.168.100.0"
imask="255.255.255.0"
iip="192.168.100.1"
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
${fwcmd} add divert natd all from any to any via fxp1
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add pass tcp from any to any established
${fwcmd} add pass all from any to any frag
${fwcmd} add pass tcp from any to ${oip} 25 setup
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
#${fwcmd} add pass tcp from any to ${oip} 80 setup
# Allow SSH everywhere
${fwcmd} add pass tcp from any to any 22 setup
${fwcmd} add pass tcp from any to any setup
${fwcmd} add pass udp from ${oip} to any 53 keep-state
${fwcmd} add pass udp from ${oip} to any 123 keep-state
${fwcmd} add deny log tcp from any to any in via ${oif} setup
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919212216.18508.qmail>