From owner-freebsd-questions Sun Nov 21 9:13:42 1999 Delivered-To: freebsd-questions@freebsd.org Received: from cc200872-a.wstal1.sc.home.com (cc200872-a.wstal1.sc.home.com [24.1.38.150]) by hub.freebsd.org (Postfix) with ESMTP id 07C03150BA for ; Sun, 21 Nov 1999 09:13:36 -0800 (PST) (envelope-from fee@pagan.tzo.com) Received: from cc200872-a.wstal1.sc.home.com [10.0.0.4] by cc200872-a.wstal1.sc.home.com with ESMTP (SMTPD32-5.05) id A8683640266; Sun, 21 Nov 1999 12:14:16 -0500 Date: Sun, 21 Nov 1999 12:10:33 -0500 (EST) From: Christian Williams X-Sender: fee@cc200872-a.wstal1.sc.home.com To: Alan Weber Cc: questions@freebsd.org Subject: Re: a little help from my friends? In-Reply-To: <19991119224719.A10675@austin.rr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ok, I've made all modifications per your suggestions below, including recompiling a new kernel and eliminating the startup script and going back to the rc.conf, but still no dice. Here's something worth mentioning: The port 80 redirect, as well as the SMTP redirect, works, but the others do not. I cannot connect to the IMAP, POP3, webemail (8383) and ftp (8072) servers. Is this a bug with natd/ipfw? Is there some limit to the amount of redirects? The port 80 redirect works, but only to the point of getting to the web server. It will not route properly to the two virtual hosts on that machine. In other words, I have an apache server running on 10.0.0.6, but if I try to access them, I merely get the generic index.html in the server route instead of the appropriate vhost. In addition, I cannot get to any of these outside services from an inside machine. This appears to be a routing issue, but all my routing tables are fine. I've tried sniffing those interfaces and come up empty handed. I'm swiftly running out of options here, and I definately don't want to move all of these servers to the firewall machine. HELP!? TIA (again) Chris On Fri, 19 Nov 1999, Alan Weber wrote: > On Fri, Nov 19, 1999 at 11:06:28PM -0500, Christian Williams wrote: > ! > ! > ! Ok people, ive got a serious problem here. > > ! I have a FreeBSD 3.2 box here setup as a gateway for a small LAN. > > ! The internal network addresses are 10.0.0.x with a mask of 255.0.0.0 > > ! I have a external interface on this box as well with an outside address > ! of: x.x.x.x > > ! I have a custom kernel compiled with the two required variables to run > ! natd. > > Two?? I think that you need all of the following: > > -- kernel config options -- > > pseudo-device bpfilter 4 #Berkeley packet filter > > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #print information about dropped packets > options IPFIREWALL_FORWARD #enable transparent proxy support > options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > > options IPDIVERT #divert sockets > > -- kernel config options -- > > ! I have a natd.startup script that runs on boot that enters all of the > ! required network configuration in and calls natd with the -f > ! /etc/natd.conf statement. Within the natd.conf file are a the natd flags > ! I need for my network here, as well as some other commands. > > This seems to be the hard way... use > > cd /etc > cp rc.conf rc.conf.backup > grep natd defaults/rc.conf>>rc.conf > grep firewall defaults/rc.conf>>rc.conf > grep gateway defaults/rc.conf>>rc.conf > grep router defaults/rc.conf>>rc.conf > > This will extract and append the required lines from the default > rc.conf and add it to your override file. Make sure you use >> > a single > will wipe your rc.conf file. > > The below is from my working rc.conf (ip #s changed) > > -- rc.conf -- > > network_interfaces="fxp0 xl0 lo0" > > # internal network > > ifconfig_fxp0="inet 10.12.1.123 netmask 255.255.0.0" > > #external network > > ifconfig_xl0="inet 123.123.12.123 netmask 255.255.255.240" > > gateway_enable="YES" > > defaultrouter="123.123.12.12" > > firewall_enable="YES" # Set to YES to enable firewall functionality > firewall_type="open" # Firewall type (see /etc/rc.firewall) > firewall_quiet="NO" # Set to YES to suppress rule display > > natd_enable="YES" # Enable natd (if firewall_enable == YES). > natd_interface="xl0" # Public interface or IPaddress to use. > natd_flags=" -f /etc/natd.conf" # Additional flags for natd. > > -- rc.conf end -- > > Inventing a new startup script as shown below will make updating your > system to newer version overly painful. > > > ! --natd.startup-- > > ! firewall_type="open" > ! firewall_enable="YES" > > ! ifconfig tx0 x.x.x.x netmask 255.255.255.0 > > ! route add default x.x.x.x > > ! if config de0 10.0.0.4 netmask 255.0.0.0 > ^ > | is this space really here > > ! > ! sysctl -w net.inet.ip.forwarding=1 > ! > ! natd -f /etc/natd.conf & > > ! /sbin/ipfw -f flush > ! /sbin/ipfw add 100 divert natd all from any to any via tx0 > ! /sbin/ipfw add 64999 pass all from any to any via lo0 > ! /sbin/ipfw add 65000 pass all from any to any > > ! --end natd.startup-- > > > I dont think you will need the udp for all the ports > > ! --natd.conf-- > ! > ! interface tx0 > ! same ports yes > ! redirect_port tcp 10.0.0.6:8383 8383 > ! redirect_port upd 10.0.0.6:8383 8383 > ??? > typo? > ! redirect_port tcp 10.0.0.6:80 80 > ! redirect_port udp 10.0.0.6:80 80 > ! redirect_port tcp 10.0.0.6:110 110 > ! redirect_port udp 10.0.0.6:110 110 > ! redirect_port tcp 10.0.0.6:143 143 > ! redirect_port udp 10.0.0.6:143 143 > ! redirect_port tcp 10.0.0.6:25 25 > ! redirect_port upd 10.0.0.6:25 25 > ??? > typo? > > ! --end natd.conf-- > > ! None of my redirects are working! Where have I gone wrong? > > ! Please Help! I've read the Complete FreeBSD on this, all man pages, and > ! scoured the newsgroups! > > ! TIA! > > ! Christian > ! > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message