Date: Wed, 19 May 2010 10:13:25 -0700 (PDT) From: Casey Scott <casey@phantombsd.org> To: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= <kes-kes@yandex.ru> Cc: freebsd-questions@freebsd.org Subject: Re: natd in 8.1 Message-ID: <1430525477.76.1274289205185.JavaMail.root@spitfire.phantombsd.org> In-Reply-To: <806308022.20100518211610@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
I haven't had a chance to work on this yet. I'll be out of town for a littl= e while, and will update the thread upon my arrival. Thanks. Casey ----- "=D0=9A=D0=BE=D0=BD=D1=8C=D0=BA=D0=BE=D0=B2 =D0=95=D0=B2=D0=B3=D0=B5= =D0=BD=D0=B8=D0=B9" <kes-kes@yandex.ru> wrote: > =D0=97=D0=B4=D1=80=D0=B0=D0=B2=D1=81=D1=82=D0=B2=D1=83=D0=B9=D1=82=D0=B5,= Casey. >=20 > What does natd with '-v' options shows? what is aliasing? >=20 > You must bind natd to external interface >=20 > NEVER DO: any to any divert!!! >=20 > NOTICE: no traffice go through this rule > CS> 05000 0 0 divert 8668 ip from any to any out via fxp0 >=20 > NEVER DO: open firewall because of security reasons > CS> 05001 29 1484 allow ip from any to any >=20 > All 'ALLOW' rules are useless! because of 5001 rule >=20 >=20 > You drop all traffic before divert ;-) this make me confused a little > CS> 04000 752 24282 deny log logamount 10000 ip from any to any > CS> 05000 0 0 divert 8668 ip from any to any out via fxp0 >=20 >=20 > NOTICE: > CS> 01200 29 1484 skipto 5000 ip from 192.168.1.0/24 to any out > via fxp0 setup keep-state > maybe there some bugs in ipfw, try 4999 >=20 >=20 > Please post where problem were for other readers with same question > thank >=20 > =D0=92=D1=8B =D0=BF=D0=B8=D1=81=D0=B0=D0=BB=D0=B8 18 =D0=BC=D0=B0=D1=8F 2= 010 =D0=B3., 18:51:10: >=20 > CS> I recently rebuilt a server from 7.x to 8.x. Using the exact > CS> same firewall & natd config, natd appears not to be aliasing the > CS> private address when the traffic leaves the external interface.=20 > CS> When sniffing traffic w/ tcpdump, I see the private address as > the > CS> source address on the outbound request.=20 >=20 > CS> e.g. >=20 > CS> 192.168.1.1 =3D internal source of request > CS> 74.75.76.77 =3D public address (website) > CS> 12.13.14.15 =3D=20 >=20 > CS> Internal External > 192.168.1.10 ->> 74.75.76.77 (NAT) 192.168.1.10 ->=20 > 74.75.76.77 >=20 >=20 > CS> Rather than it should be: >=20 >=20 >=20 > CS> Internal External > 192.168.1.10 ->> 74.75.76.77 (NAT) 12.13.14.15 ->=20 > 74.75.76.77 >=20 >=20 > CS> Watching natd with ktrace shows that no traffic gets passed to > CS> natd when the source is internal, however external traffic passes > through it. >=20 > CS> Firewall config: > CS> > -------------------------------------------------------------------------= -- > CS> 00200 11946 3204818 allow ip from any to any via lo0 > CS> 00300 0 0 deny ip from any to 127.0.0.0/8 > CS> 00301 10 528 deny ip from any to 74.94.69.225 dst-port > 445 > CS> 00302 1 78 deny ip from any to 74.94.69.225 dst-port > 137 > CS> 00303 9 544 deny ip from any to 74.94.69.225 dst-port > 135 > CS> 00304 0 0 deny ip from 224.0.0.0/4 to any via fxp0 > CS> 00305 671 18788 deny ip from any to 224.0.0.0/4 via fxp0 > CS> 01000 9093 1158436 allow ip from any to any via em0 > CS> 01050 51045 5205047 divert 8668 ip from any to any in via fxp0 > CS> 01100 0 0 check-state > CS> 01100 69183 83429465 allow ip from me to any > CS> 01200 29 1484 skipto 5000 ip from 192.168.1.0/24 to any out > via fxp0 setup keep-state > CS> 01201 0 0 skipto 5000 udp from 192.168.1.0/24 to any > out via fxp0 keep-state > CS> 01202 45002 4690467 allow ip from any to any established > CS> 01800 1421 72620 allow tcp from any to me dst-port > 20,21,53,76,80,123,443 > CS> 01900 3 194 allow ip from 216.251.112.0/24,208.95.100.4 > to any > CS> 02000 530 127559 allow udp from any 53 to any > CS> 02100 834 59414 allow udp from any to any dst-port 53 > CS> 02150 1930 146680 allow udp from any 123 to me dst-port 123 > CS> 02200 468 39312 allow icmp from any to any icmptypes 0,3,11 > CS> 04000 752 24282 deny log logamount 10000 ip from any to any > CS> 05000 0 0 divert 8668 ip from any to any out via fxp0 > CS> 05001 29 1484 allow ip from any to any > CS> 65535 0 0 deny ip from any to any > CS> > -------------------------------------------------------------------------= -- >=20 > CS> natd.conf > CS> > -------------------------------------------------------------------------= -- > CS> use_sockets > CS> same_ports > CS> unregistered_only > CS> interface fxp0 >=20 > CS> redirect_port tcp 192.168.1.82:82 82 > CS> redirect_port tcp 192.168.1.41:8082 8082 > CS> redirect_port tcp 192.168.1.3:3389 3389 > CS> redirect_port udp 192.168.1.3:3389 3389 > CS> redirect_port tcp 192.168.1.6:6881-6889 6881-6889 > CS> > -------------------------------------------------------------------------= -- >=20 >=20 > CS> As I previously stated, this exact same config worked great in > CS> 7.x. I built a kernel in 8.x w/ IPFIREWALL & IPDIVERT, and > CS> reviewed UPDATING. Have I missed something?=20 >=20 > CS> TIA, > CS> Casey >=20 > CS> _______________________________________________ > CS> freebsd-questions@freebsd.org mailing list > CS> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > CS> To unsubscribe, send any mail to > CS> "freebsd-questions-unsubscribe@freebsd.org" >=20 >=20 >=20 > --=20 > =D0=A1 =D1=83=D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC, > =D0=9A=D0=BE=D0=BD=D1=8C=D0=BA=D0=BE=D0=B2 mail= to:kes-kes@yandex.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1430525477.76.1274289205185.JavaMail.root>