From owner-freebsd-questions Mon Jan 31 12: 7:35 2000 Delivered-To: freebsd-questions@freebsd.org Received: from wondermutt.net (host75-157.student.udel.edu [128.175.75.157]) by hub.freebsd.org (Postfix) with ESMTP id D104B14A2C for ; Mon, 31 Jan 2000 12:07:20 -0800 (PST) (envelope-from papalia@udel.edu) Received: from morgaine (morgaine.wondermutt.net [192.168.1.2]) by wondermutt.net (8.9.3/8.9.3) with SMTP id PAA38401; Mon, 31 Jan 2000 15:07:05 -0500 (EST) (envelope-from papalia@udel.edu) Message-Id: <4.1.20000131145859.0096fed0@mail.udel.edu> X-Sender: papalia@mail.udel.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 31 Jan 2000 15:03:19 -0500 To: Ruslan Ermilov From: John Subject: Re: NATD/Divert broken ? Cc: zimon@iki.fi, freebsd-questions@FreeBSD.ORG In-Reply-To: <20000131215456.B97751@relay.ucb.crimea.ua> References: <4.1.20000131123443.00975da0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu> <20000131193116.A72155@relay.ucb.crimea.ua> <4.1.20000131123443.00975da0@mail.udel.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > >> ****** >> >> Failed connection, with divert rule in place: >> >> ****** >> >> >> >> 12:01:10.744362 merlin.wondermutt.net.3482 > >merlin.wondermutt.net.39536: S >> >> 1027967984:1027967984(0) win 16384 > >> >> >[...] >> >Can you show me the above in numerical form (with -n), with the output of >> >the following commands: >> >> Sure can :) >> >[...] >> >* ipfw show >> merlin# ipfw show >> 00075 227 21816 divert 8668 ip from any to any via fxp1 >> 00150 18596 3000493 allow ip from any to any via fxp0 >> 00200 0 0 deny ip from any to 127.0.0.0/8 recv fxp1 >> 00300 22 1233 allow ip from 192.168.0.0/16 to any out xmit fxp1 >> 00400 1205 1317527 allow ip from any to 192.168.0.0/16 in recv fxp1 >> 65000 250 22128 allow ip from any to 128.175.75.157 in recv fxp1 >> 65100 1380 78451 allow ip from 128.175.75.157 to any out xmit fxp1 >> 65535 1659 185195 deny ip from any to any >> >I don't believe that just removing rule 75 fixes the problem. >Please add the following (from the stock rc.firewall) two rules >right after the `divert' one and beforeany other: > >############ ># Only in rare cases do you want to change these rules >$fwcmd add 100 pass all from any to any via lo0 >$fwcmd add 200 deny all from any to 127.0.0.0/8 > >Let me know if this helps. My apologies... what you saw was the results of me messing around with the firewall rules for 3 days :) I pasted an incorrect copy to you. Here is my current config: 00075 1814 194224 divert 8668 ip from any to any via fxp1 00100 388 49438 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00250 697 44297 allow ip from any to any via fxp0 00300 56 3096 allow ip from 192.168.0.0/16 to any out xmit fxp1 00400 1456 1373711 allow ip from any to 192.168.0.0/16 in recv fxp1 65000 1204 125994 allow ip from any to 128.175.75.157 in recv fxp1 65100 2707 211644 allow ip from 128.175.75.157 to any out xmit fxp1 65535 1928 210215 deny ip from any to any And believe it or not, simply removing the 00075 line DOES cure the problem (while disabling my internal net). With the rule in place, netstat -a shows: tcp 0 0 merlin.3587 merlin.39474 SYN_SENT tcp 0 0 *.39474 *.* CLOSED For some reason, the port is being closed before the connection can be made. Correcting rule 00100 and 00200 did not cure the problem though :/ If you need more info from me, please let me know. Thanks!!!! --John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message