Date: Wed, 27 Sep 2000 22:58:32 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: John F Cuzzola <vdrifter@ocis.ocis.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw + natd + Novell Message-ID: <20000927225832.E81242@149.211.6.64.reflexcom.com> In-Reply-To: <Pine.LNX.4.21.0009262042200.11911-100000@ocis.ocis.net>; from vdrifter@ocis.ocis.net on Tue, Sep 26, 2000 at 08:52:08PM -0700 References: <Pine.LNX.4.21.0009262042200.11911-100000@ocis.ocis.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 26, 2000 at 08:52:08PM -0700, John F Cuzzola wrote: > Hello everyone, > I have a Novell Server that has been moved from a public ip to a private > one (192.168.0.6). The 192.168.0.xxx segment gets internet access through > a FreeBSD box using ipfw/natd. The Novell server needs to be accessable > from the internet from source addresses 142.42.22.xxx. So I tried to set > up a NAT for it as follows: > > natd -p 7500 -redirect_address 192.168.0.6 0.0.0.0 -a 207.24.168.5 > > ipfw add 10 divert 7500 ip from 142.42.22.0/24 to 207.24.168.5 > ipfw add 20 divert 7500 ip from 207.24.168.5 to 142.42.22.0/24 > > So 142.42.22.0/24 should be able to get to the novell server using > 207.24.168.5 as its ip. Using the Windows Client they can connect and see > the NDS tree but when they try to log in the connection times-out. I know > there are some programs that wont work through NAT (like the ones that > insist on reporting back the private ip address). I was wondering if > anyone has had experience logging into a Novell Server with NAT. Can it > be done? I might be missing it, but I don't see how traffic returning from 192.168.0.6 is ever NATed back to look like the source is 207.24.168.5 from the client's perspective. That is, that first rule catches packets like, 142.42.22.a:2040 -> 207.24.168.5:427 And they get translated to something like, 142.42.22.a:2040 -> 192.168.0.6:427 But then, I don't see where the responses, 192.168.0.6:427 -> 142.42.22.a:2040 Ever go through NAT again. Shouldn't the second rule be, s/207.24.168.5/192.168.0.6/ ? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000927225832.E81242>