From owner-freebsd-ipfw Tue Mar 25 1:21: 8 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F45A37B404; Tue, 25 Mar 2003 01:21:02 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1AF043FAF; Tue, 25 Mar 2003 01:20:34 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.8/8.12.8/Sunbay) with ESMTP id h2P9K80J076719 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Mar 2003 11:20:08 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.8/8.12.8/Submit) id h2P9K8Oa076714; Tue, 25 Mar 2003 11:20:08 +0200 (EET) (envelope-from ru) Date: Tue, 25 Mar 2003 11:20:08 +0200 From: Ruslan Ermilov To: Scot Cc: FreeBSD Stable , ipfw@FreeBSD.ORG Subject: Re: Natd stops working on Firewall Message-ID: <20030325092007.GB73657@sunbay.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-21.6 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote: > Hi;=20 >=20 > Just setup my FreeBSD 4.7 Firewall using the docs=20 > outlined in the handbook. >=20 What docs you have used to set up the firewall? > The install went on and=20 > everything seems to be working fine then boom.=20 > The system seems to stop routing traffic. No=20 > messages in the security log or natd log as to why.=20 >=20 > I made sure it was logging by nmaping my box from the=20 > outside. I even ran natd in the foreground and it still didn't=20 > tell me what was going on.=20 >=20 > There is nothing in any logfile that tells me why this thing=20 > just stops working so I'm thinking it may not be a daemon but > something in the kernel.=20 >=20 > I cannot ping the interface from the internal network but tcpdump shows= =20 > the packets being received. (Hub network firewall_type=3DSIMPLE ). > =20 > If I logon to the console the cable modem connection is still functioning= =20 > and I can surf from the firewall.=20 >=20 > Any ideas on where to look next ??=20 >=20 >=20 > Cable modem using dhcp -> 192.168 home network on=20 > PPro w/280 MB ram.=20 > Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces= =2E=20 > Standard Xuser install + Kernel sources.=20 >=20 I've been through this just recently. Our "simple" prototype is not production ready; if you just tune oip/iip/onet/inet, etc., it won't allow your internal machines to talk outside. The packet flow for a machine in ${inet}:${imask} talking outside is as follows: ${inet}:${imask} -> some_host (in via ${iif}) ${oip} -> some_host (out via ${oif}) (after NAT) some_host -> ${inet}:${imask} (in via ${oif}) (after de-NAT) some_host -> ${inet}:${imask} (out via ${iif}) (This assumes that you NAT using ${oip}, which is not always the case.) So, to make it work (if default is to "deny"), you need to add the following rules at the end of the ruleset: ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif} ${fwcmd} add pass ip from ${oip} to any out via ${oif} ${fwcmd} add pass ip from any to ${inet}:${imask} Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+gB9HUkv4P6juNwoRAuVEAJwKQNXKyOo20kdomzarFxtB+NNmewCaA54Z IDr48LIXgSaWSlZmbjNe19Q= =MWIC -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message