Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Mar 2003 11:20:08 +0200
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        Scot <>
Cc:        FreeBSD Stable <stable@FreeBSD.ORG>, ipfw@FreeBSD.ORG
Subject:   Re: Natd stops working on Firewall
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;=20
> Just setup my FreeBSD 4.7 Firewall using the docs=20
> outlined in the handbook.
What docs you have used to set up the firewall?

> The install went on and=20
> everything seems to be working fine then boom.=20
> The system seems to stop routing traffic. No=20
> messages in the security log or natd log as to why.=20
> I made sure it was logging by nmaping my box from the=20
> outside. I even ran natd in the foreground and it still didn't=20
> tell me what was going on.=20
> There is nothing in any logfile that tells me why this thing=20
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.=20
> I cannot ping the interface from the internal network but tcpdump shows=
> the packets being received. (Hub network firewall_type=3DSIMPLE ).
> =20
> If I logon to the console the cable modem connection is still functioning=
> and I can surf from the firewall.=20
> Any ideas on where to look next ??=20
> Cable modem using dhcp -> 192.168 home network on=20
> PPro w/280 MB ram.=20
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces=
> Standard Xuser install + Kernel sources.=20
I've been through this just recently.  Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.

The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:

${inet}:${imask} -> some_host (in  via ${iif})
${oip}           -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in  via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})

(This assumes that you NAT using ${oip}, which is not always
the case.)

So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:

${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}

Ruslan Ermilov		Sysadmin and DBA,		Sunbay Software AG,		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine	The Power To Serve	Enabling The Information Age

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)



To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>