Date: Wed, 31 Jul 2002 22:47:47 -0600 From: "Grant Cooper" <grant.cooper@nucleus.com> To: <lane@joeandlane.com>, <freebsd-questions@freebsd.org> Subject: Re: The inscrutable natd redirect_port Message-ID: <004f01c23916$9d8fdcb0$2afececd@TCOOPER> References: <200208010420.g714KOoB002082@joeandlane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I did some reading yesterday from, http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and if you are missing rule 100 and rule 200, the firewall defaults to a closed policy, you will see RPC(3) services break during startup. I was just about to test this senerio myself because I don't know what it means by a "RPC services". If this works pop me an e-mail. ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ----- Original Message ----- From: <lane@joeandlane.com> To: <freebsd-questions@freebsd.org> Sent: Wednesday, July 31, 2002 10:20 PM Subject: The inscrutable natd redirect_port > I've got two nearly identical FreeBSD boxes, both running 4.6 STABLE, both > kernels rebuilt within the last week from the same source and same KERNEL > config file. > > Each machine runs identical rc.conf, except for the hostname. > > Each machine has two nics, an rl0 for the internal network and ed0 for the > external network. Both machines act as a gateway for a small internal network > that includes an NT machine and an AS/400 for each. Each machine is in a > workspace separated by about 10 miles. > > I can telnet or ftp to each of these machines from the other or from any > machine that they act as a gateway for. > > I mean this setup is identical EXCEPT that natd works on one and not on the > other. > > here is the information from rc.conf: > > gateway_enable="YES" > firewall_enable="YES" > firewall_script="/etc/firewall/fwrules" > natd_enable="YES" > natd_interface="de0" > natd_flags="-config /etc/natd.conf" > > and natd.conf: > > interface de0 > dynamic yes > use_sockets yes > unregistered_only yes > log yes > log_denied yes > #verbose yes > deny_incoming no > # send incoming ftp, wins, and mssql to the NT machine > redirect_port tcp 192.168.1.2:1433 1433 > redirect_port udp 192.168.1.2:137 137 > redirect_port tcp 192.168.1.2:137 137 > redirect_port tcp 192.168.1.2:23 8023 > redirect_port tcp 192.168.1.2:21 8021 > > # send incoming db2, telnet, and ftp and client access to the AS/400 machine > redirect_port tcp 192.168.1.4:23 4023 > redirect_port tcp 192.168.1.4:21 4021 > redirect_port tcp 192.168.1.4:423 423 > redirect_port tcp 192.168.1.4:523 523 > > and finally the firewall rules: > > fwcmd="/sbin/ipfw" > #make the interface into a macro > de0="de0" > rl0="rl0" > $fwcmd -f flush > > $fwcmd add divert natd all from any to any via $de0 > $fwcmd add pass all from any to any > > This setup works fine for one machine. I am able to ftp, telnet, or send db2 > or mssql requests to any machine on the network from any machine on either > network. > > HOWEVER .... > > None of this works on the other machine. None of the natd redirects, that is. > Each request, for instance to "telnet remote_host 8023" is met with > > telnet: connect to address 172.172.5.1: Connection refused > telnet: Unable to connect to remote host (This whether I attempt to connect > from the local network, from the 172.172.5.1 host, or from any remote site) > > But "telnet remote_host" and "telnet remote_host 23" work perfectly. > > /var/log/alias.log seems to witness the action, but I cannot interpret that > file to determine where or why 172.172.5.1 is rejecting the incoming request. > > What steps can I take to track down this failure? > > Thanks for reading. > > And thanks for your input. > > lane holcombe > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004f01c23916$9d8fdcb0$2afececd>