Date: Mon, 24 Jan 2000 17:10:07 +0200 From: Michael Bartlett <cataract@eye2eye.net> To: "'cjclark@home.com'" <cjclark@home.com> Cc: "'questions@freebsd.org'" <questions@FreeBSD.ORG> Subject: RE: FW: internet gateway setup using NATD Message-ID: <F16C1C3F6AB8D311998F00C0DF266AE7E22B@OPTIC>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF667D.1CAEEF10 Content-Type: text/plain; charset="iso-8859-1" Crist, Thanks for your response, maybe you could clear a couple of things up for me here... [eyeland] # ipfw list 01000 allow ip from any to any via lo0 01100 deny ip from 127.0.0.0/8 to 127.0.0.0/8 01500 divert 8668 ip from any to any via rl0 65000 allow ip from any to any 65535 deny ip from any to any I was under the impression that the # of the firewall rule is the order in which the rule is implemented (01000 will happen before 01100). If this is the case, do rules 65000 and 65535 not conflict each other? I cannot for the life of me find what is instigating rule 65535 on my box, nor can I delete it : [eyeland] # ipfw delete 65535 ipfw: rule 65535: setsockopt(IP_FW_DEL): Invalid argument > On one of my other boxes I run this script in /usr/local/etc/rc.d > > /sbin/natd -n fxp0 -redirect_port tcp 196.38.133.194:110 196.38.133.198:80 > /sbin/ipfw add divert natd all from any to any via fxp0 I have been previously told that it is "bad practise" to execute stuff like this in rc.d - but that has never been justified properly to me (I was told its not "pure"). Now in the abovementioned example this is my ipfw list: [messenger] # ipfw list 00100 divert 8668 ip from any to any via fxp0 65535 allow ip from any to any The difference between the two boxes is that the [messenger] box does not act as a gateway whereas the [eyeland] box does. We can see that the firewall rules are slightly different but otherwise I can't see anything glaringly obvious that is making this thing not work. And yes... >However, even if we assume >they are now OK, we can't say if there is a problem with natd. If you >call 196.31.83.226 directly on port 25, do you actually get to talk to >sendmail (or whatever MTA is supposed to be listening)? natd could be >working and we would not know it. Exim runs on port 25 and I'm not THAT dumb ;) Any clarity/advise/money will be greatly apprectiated! Cheers Mike -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark Sent: Sunday, January 23, 2000 5:50 AM To: Michael Bartlett Cc: 'questions@freebsd.org' Subject: Re: FW: internet gateway setup using NATD On Sat, Jan 22, 2000 at 03:05:31PM +0200, Michael Bartlett wrote: > Thought I'd throw this @ the list as well... > > -----Original Message----- > From: Michael Bartlett > Sent: Saturday, January 22, 2000 2:56 PM > To: 'Burke Gallagher' > Subject: RE: internet gateway setup using NATD > > > Hey Burke, > > Sorry to bug you again, but I'm having another problem and it could be > related to what you told me to do and could also prove interesting... > > On one of my other boxes I run this script in /usr/local/etc/rc.d > > /sbin/natd -n fxp0 -redirect_port tcp 196.38.133.194:110 196.38.133.198:80 > /sbin/ipfw add divert natd all from any to any via fxp0 > > If you are confused, the reason is that we needed to get around a firewall > problem (one of our consultants other company close 110 access on their > firewall - this way he can pickup his mail from us with port 80!! ;) ). > > Anyway, > > I tried the identical thing on my box with your settings and take a look... > > [eyeland] # /sbin/natd -n rl0 -redirect_port tcp 196.31.83.226:25 > 196.31.83.227:80 > [eyeland] # telnet 196.31.83.227 80 > Trying 196.31.83.227... > telnet: Unable to connect to remote host: Connection refused > > Now the .227 ip is an alias on rl0, so it should just be passed along the > same NIC and have no problems. I also tried the destination being on rl1 > (192.168.62.150:25) which is an smtp server on my local network and that > didn't work either. > > Any thoughts? Yes. First, don't start NATd from /usr/local/etc/rc.d. That is pretty much dead last in the startup process and could prevent lotsa stuff from being started properly in the ealier steps since the networking won't work. It also means that your divert to natd in the firewall is the last rule. Most likely, that will mess things up too (especially if you have a 'pass ip any to any' before it). In your second problem, it's really hard to say what is going on. Your firewall rules (with the divert) are suspect for the above reasons, so I would not be surprised if nothing works. However, even if we assume they are now OK, we can't say if there is a problem with natd. If you call 196.31.83.226 directly on port 25, do you actually get to talk to sendmail (or whatever MTA is supposed to be listening)? natd could be working and we would not know it. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message ------_=_NextPart_001_01BF667D.1CAEEF10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2448.0"> <TITLE>RE: FW: internet gateway setup using NATD</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Crist,</FONT> </P> <P><FONT SIZE=3D2>Thanks for your response, maybe you could clear a = couple of things up for me here...</FONT> <BR><FONT SIZE=3D2>[eyeland] # ipfw list</FONT> <BR><FONT SIZE=3D2>01000 allow ip from any to any via lo0</FONT> <BR><FONT SIZE=3D2>01100 deny ip from 127.0.0.0/8 to 127.0.0.0/8</FONT> <BR><FONT SIZE=3D2>01500 divert 8668 ip from any to any via rl0</FONT> <BR><FONT SIZE=3D2>65000 allow ip from any to any</FONT> <BR><FONT SIZE=3D2>65535 deny ip from any to any</FONT> </P> <P><FONT SIZE=3D2>I was under the impression that the # of the firewall = rule is the order in which the rule is implemented (01000 will happen = before 01100). If this is the case, do rules 65000 and 65535 not = conflict each other? I cannot for the life of me find what is = instigating rule 65535 on my box, nor can I delete it :</FONT></P> <P><FONT SIZE=3D2>[eyeland] # ipfw delete 65535</FONT> <BR><FONT SIZE=3D2>ipfw: rule 65535: setsockopt(IP_FW_DEL): Invalid = argument</FONT> </P> <P><FONT SIZE=3D2>> On one of my other boxes I run this script in = /usr/local/etc/rc.d</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> /sbin/natd -n fxp0 -redirect_port tcp = 196.38.133.194:110 196.38.133.198:80</FONT> <BR><FONT SIZE=3D2>> /sbin/ipfw add divert natd all from any to any = via fxp0</FONT> </P> <P><FONT SIZE=3D2>I have been previously told that it is "bad = practise" to execute stuff like this in rc.d - but that has never = been justified properly to me (I was told its not "pure"). = Now in the abovementioned example this is my ipfw list:</FONT></P> <P><FONT SIZE=3D2>[messenger] # ipfw list</FONT> <BR><FONT SIZE=3D2>00100 divert 8668 ip from any to any via fxp0</FONT> <BR><FONT SIZE=3D2>65535 allow ip from any to any</FONT> </P> <P><FONT SIZE=3D2>The difference between the two boxes is that the = [messenger] box does not act as a gateway whereas the [eyeland] box = does. We can see that the firewall rules are slightly different but = otherwise I can't see anything glaringly obvious that is making this = thing not work.</FONT></P> <P><FONT SIZE=3D2>And yes...</FONT> </P> <P><FONT SIZE=3D2>>However, even if we assume</FONT> <BR><FONT SIZE=3D2>>they are now OK, we can't say if there is a = problem with natd. If you</FONT> <BR><FONT SIZE=3D2>>call 196.31.83.226 directly on port 25, do you = actually get to talk to</FONT> <BR><FONT SIZE=3D2>>sendmail (or whatever MTA is supposed to be = listening)? natd could be</FONT> <BR><FONT SIZE=3D2>>working and we would not know it.</FONT> </P> <P><FONT SIZE=3D2>Exim runs on port 25 and I'm not THAT dumb ;)</FONT> </P> <P><FONT SIZE=3D2>Any clarity/advise/money will be greatly = apprectiated!</FONT> </P> <P><FONT SIZE=3D2>Cheers</FONT> </P> <P><FONT SIZE=3D2>Mike</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: owner-freebsd-questions@FreeBSD.ORG</FONT> <BR><FONT SIZE=3D2>[<A = HREF=3D"mailto:owner-freebsd-questions@FreeBSD.ORG">mailto:owner-freebsd= -questions@FreeBSD.ORG</A>]On Behalf Of Crist J. Clark</FONT> <BR><FONT SIZE=3D2>Sent: Sunday, January 23, 2000 5:50 AM</FONT> <BR><FONT SIZE=3D2>To: Michael Bartlett</FONT> <BR><FONT SIZE=3D2>Cc: 'questions@freebsd.org'</FONT> <BR><FONT SIZE=3D2>Subject: Re: FW: internet gateway setup using = NATD</FONT> </P> <BR> <P><FONT SIZE=3D2>On Sat, Jan 22, 2000 at 03:05:31PM +0200, Michael = Bartlett wrote:</FONT> <BR><FONT SIZE=3D2>> Thought I'd throw this @ the list as = well...</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Michael Bartlett </FONT> <BR><FONT SIZE=3D2>> Sent: Saturday, January 22, 2000 2:56 PM</FONT> <BR><FONT SIZE=3D2>> To: 'Burke Gallagher'</FONT> <BR><FONT SIZE=3D2>> Subject: RE: internet gateway setup using = NATD</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Hey Burke,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Sorry to bug you again, but I'm having another = problem and it could be</FONT> <BR><FONT SIZE=3D2>> related to what you told me to do and could = also prove interesting...</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> On one of my other boxes I run this script in = /usr/local/etc/rc.d</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> /sbin/natd -n fxp0 -redirect_port tcp = 196.38.133.194:110 196.38.133.198:80</FONT> <BR><FONT SIZE=3D2>> /sbin/ipfw add divert natd all from any to any = via fxp0</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If you are confused, the reason is that we = needed to get around a firewall</FONT> <BR><FONT SIZE=3D2>> problem (one of our consultants other company = close 110 access on their</FONT> <BR><FONT SIZE=3D2>> firewall - this way he can pickup his mail from = us with port 80!! ;) ).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Anyway,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I tried the identical thing on my box with your = settings and take a look...</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> [eyeland] # /sbin/natd -n rl0 -redirect_port = tcp 196.31.83.226:25</FONT> <BR><FONT SIZE=3D2>> 196.31.83.227:80</FONT> <BR><FONT SIZE=3D2>> [eyeland] # telnet 196.31.83.227 80</FONT> <BR><FONT SIZE=3D2>> Trying 196.31.83.227...</FONT> <BR><FONT SIZE=3D2>> telnet: Unable to connect to remote host: = Connection refused</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Now the .227 ip is an alias on rl0, so it = should just be passed along the</FONT> <BR><FONT SIZE=3D2>> same NIC and have no problems. I also tried the = destination being on rl1</FONT> <BR><FONT SIZE=3D2>> (192.168.62.150:25) which is an smtp server on = my local network and that</FONT> <BR><FONT SIZE=3D2>> didn't work either.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Any thoughts?</FONT> </P> <P><FONT SIZE=3D2>Yes. First, don't start NATd from = /usr/local/etc/rc.d. That is pretty</FONT> <BR><FONT SIZE=3D2>much dead last in the startup process and could = prevent lotsa stuff</FONT> <BR><FONT SIZE=3D2>from being started properly in the ealier steps = since the networking</FONT> <BR><FONT SIZE=3D2>won't work. It also means that your divert to natd = in the firewall is</FONT> <BR><FONT SIZE=3D2>the last rule. Most likely, that will mess things up = too (especially</FONT> <BR><FONT SIZE=3D2>if you have a 'pass ip any to any' before = it).</FONT> </P> <P><FONT SIZE=3D2>In your second problem, it's really hard to say what = is going on. Your</FONT> <BR><FONT SIZE=3D2>firewall rules (with the divert) are suspect for the = above reasons, so</FONT> <BR><FONT SIZE=3D2>I would not be surprised if nothing works. However, = even if we assume</FONT> <BR><FONT SIZE=3D2>they are now OK, we can't say if there is a problem = with natd. If you</FONT> <BR><FONT SIZE=3D2>call 196.31.83.226 directly on port 25, do you = actually get to talk to</FONT> <BR><FONT SIZE=3D2>sendmail (or whatever MTA is supposed to be = listening)? natd could be</FONT> <BR><FONT SIZE=3D2>working and we would not know it.</FONT> <BR><FONT SIZE=3D2>-- </FONT> <BR><FONT SIZE=3D2>Crist J. = Clark &= nbsp; &= nbsp; cjclark@home.com</FONT> </P> <BR> <P><FONT SIZE=3D2>To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>with "unsubscribe freebsd-questions" in = the body of the message</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF667D.1CAEEF10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F16C1C3F6AB8D311998F00C0DF266AE7E22B>