Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Mar 2003 11:20:08 +0200
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        Scot <scotrn@cox.net>
Cc:        FreeBSD Stable <stable@FreeBSD.ORG>, ipfw@FreeBSD.ORG
Subject:   Re: Natd stops working on Firewall
Message-ID:  <20030325092007.GB73657@sunbay.com>
In-Reply-To: <PAEEIJCHPFHEDADDGJFLEEHJDNAA.scotrn@cox.net>
References:  <PAEEIJCHPFHEDADDGJFLEEHJDNAA.scotrn@cox.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--61jdw2sOBCFtR2d/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;=20
>=20
> Just setup my FreeBSD 4.7 Firewall using the docs=20
> outlined in the handbook.
>=20
What docs you have used to set up the firewall?

> The install went on and=20
> everything seems to be working fine then boom.=20
> The system seems to stop routing traffic. No=20
> messages in the security log or natd log as to why.=20
>=20
> I made sure it was logging by nmaping my box from the=20
> outside. I even ran natd in the foreground and it still didn't=20
> tell me what was going on.=20
>=20
> There is nothing in any logfile that tells me why this thing=20
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.=20
>=20
> I cannot ping the interface from the internal network but tcpdump shows=
=20
> the packets being received. (Hub network firewall_type=3DSIMPLE ).
> =20
> If I logon to the console the cable modem connection is still functioning=
=20
> and I can surf from the firewall.=20
>=20
> Any ideas on where to look next ??=20
>=20
>=20
> Cable modem using dhcp -> 192.168 home network on=20
> PPro w/280 MB ram.=20
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces=
=2E=20
> Standard Xuser install + Kernel sources.=20
>=20
I've been through this just recently.  Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.

The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:

${inet}:${imask} -> some_host (in  via ${iif})
${oip}           -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in  via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})

(This assumes that you NAT using ${oip}, which is not always
the case.)

So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:

${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}


Cheers,
--=20
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

--61jdw2sOBCFtR2d/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+gB9HUkv4P6juNwoRAuVEAJwKQNXKyOo20kdomzarFxtB+NNmewCaA54Z
IDr48LIXgSaWSlZmbjNe19Q=
=MWIC
-----END PGP SIGNATURE-----

--61jdw2sOBCFtR2d/--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030325092007.GB73657>