From owner-freebsd-questions Mon Jan 31 11:34:28 2000 Delivered-To: freebsd-questions@freebsd.org Received: from wondermutt.net (host75-157.student.udel.edu [128.175.75.157]) by hub.freebsd.org (Postfix) with ESMTP id 869A514F20 for ; Mon, 31 Jan 2000 11:34:15 -0800 (PST) (envelope-from papalia@udel.edu) Received: from morgaine (morgaine.wondermutt.net [192.168.1.2]) by wondermutt.net (8.9.3/8.9.3) with SMTP id OAA37973; Mon, 31 Jan 2000 14:28:01 -0500 (EST) (envelope-from papalia@udel.edu) Message-Id: <4.1.20000131123443.00975da0@mail.udel.edu> X-Sender: papalia@mail.udel.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 31 Jan 2000 14:23:34 -0500 To: Ruslan Ermilov , zimon@iki.fi From: John Subject: Re: NATD/Divert broken ? Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <20000131193116.A72155@relay.ucb.crimea.ua> References: <4.1.20000131120328.009749c0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >> Hey all, >> >> I'm having a small problem with my NATD and my firewall. Per the >> instructions in "The Complete FreeBSD", I added the firewall rule: >> >> divert natd ip from any to any via fxp1 >> >> The problem is that this rule is causing partial problems on my loopback >> device (lo0). >> >> What happens is that with the rule in place, for some connections within >> the box (which definitely go thru lo0), the connections fail. If I remove >> that rule, then the connections within the box can be made, but then I lose >> all ability to host my internal 192.168. net. >> >> I have done tcpdumps of both the successful and unsuccessful connections >> and have pasted them below. If the actual tcpdump files would be useful, I >> can attach those to a subsequent email. >> >> Also, I'm currently running 3.3 and am suffering from NO other apparent >> problems with lo0 that I can tell. >> >> tcpdumps are below. >> >> Thanks in advance, >> John >> > >> ****** >> Failed connection, with divert rule in place: >> ****** >> >> 12:01:10.744362 merlin.wondermutt.net.3482 > merlin.wondermutt.net.39536: S >> 1027967984:1027967984(0) win 16384 > >[...] >Can you show me the above in numerical form (with -n), with the output of >the following commands: Sure can :) tcpdump read in numerical form: 12:46:10.236727 128.175.75.157.3504 > 128.175.75.157.44540: S 1546226005:1546226005(0) win 16384 (DF) 12:46:12.832052 128.175.75.157.3504 > 128.175.75.157.44540: S 1546226005:1546226005(0) win 16384 (DF) 12:46:18.832277 128.175.75.157.3504 > 128.175.75.157.44540: S 1546226005:1546226005(0) win 16384 (DF) >* ifconfig -au inet merlin# ifconfig -au inet fxp0: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 fxp1: flags=8843 mtu 1500 inet 128.175.75.157 netmask 0xffffff00 broadcast 128.175.75.255 lo0: flags=8049 mtu 16384 >* netstat -arn merlin# netstat -arn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 128.175.75.1 UGSc 20 131323 fxp1 127 lo0 USc 3 995 lo0 127.0.0.1 lo0 UHW 1 5510 lo0 128.32.43.209 128.175.75.1 UGHW3 0 131407 fxp1 1118 128.175.13.74 128.175.75.1 UGHW 1 131105 fxp1 128.175.13.92 128.175.75.1 UGHW3 0 116663 fxp1 3340 128.175.75/24 link#2 UC 0 0 fxp1 128.175.75.1 0:0:c:12:d6:5f UHLW 18 0 fxp1 1138 128.175.75.157 lo0 UHS 0 168 lo0 130.233.40.130 128.175.75.1 UGHW3 0 130965 fxp1 818 132.236.56.16 128.175.75.1 UGHW3 0 131105 fxp1 1013 192.160.127.97 128.175.75.1 UGHW 2 128752 fxp1 192.168.1 link#1 UC 0 0 fxp0 192.168.1.2 0:a0:c9:6c:a8:bc UHLW 5 672323 fxp0 1152 194.100.45.84 128.175.75.1 UGHW3 0 131227 fxp1 3072 199.2.32.11 128.175.75.1 UGHW 2 131269 fxp1 204.216.27.18 128.175.75.1 UGHW3 0 131179 fxp1 1770 206.251.7.30 128.175.75.1 UGHW 1 14344 fxp1 207.45.69.69 128.175.75.1 UGHW 1 84591 fxp1 207.138.35.58 128.175.75.1 UGHW 1 73274 fxp1 209.100.125.26 128.175.75.1 UGHW 1 12594 fxp1 209.100.125.48 128.175.75.1 UGHW 2 8879 fxp1 216.88.112.20 128.175.75.1 UGHW3 0 132707 fxp1 1102 216.147.43.210 128.175.75.1 UGHW3 0 131081 fxp1 1051 216.244.64.20 128.175.75.1 UGHW3 0 130377 fxp1 951 >* ipfw show merlin# ipfw show 00075 227 21816 divert 8668 ip from any to any via fxp1 00150 18596 3000493 allow ip from any to any via fxp0 00200 0 0 deny ip from any to 127.0.0.0/8 recv fxp1 00300 22 1233 allow ip from 192.168.0.0/16 to any out xmit fxp1 00400 1205 1317527 allow ip from any to 192.168.0.0/16 in recv fxp1 65000 250 22128 allow ip from any to 128.175.75.157 in recv fxp1 65100 1380 78451 allow ip from 128.175.75.157 to any out xmit fxp1 65535 1659 185195 deny ip from any to any >And how do you start natd? Within rc.conf. Ultimate command: /sbin/natd -f /etc/natd.conf Where natd.conf is: interface fxp1 dynamic yes use_sockets yes same_ports yes And the last two lines were added in an attempt to trouble-shoot this problem - both with and without those lines, this problem exists. Thanks!!! --John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message