Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Oct 2001 18:25:29 -0700
From:      Zev Thompson <zev@interchange.ubc.ca>
To:        <freebsd-questions@FreeBSD.ORG>
Subject:   Re: firewall and natd configurations (ICQ specifically)
Message-ID:  <3.0.32.20011022182522.01726780@pop.interchange.ubc.ca>
next in thread | raw e-mail | index | archive | help 
I've been having troubles with ICQ and natd as well, I've set up a range of
tcp ports to take incoming requests, which forward just fine (I can receive
files etc.) but connections to the icq login server on port 4000 (udp) do
not seem to stay active; ie. I disconnect & reconnect to the server
periodically. 

In my icq firewall settings I've set up a 30 second timeout, and modified
some sysctl variables to try and prevent this from happening, but I'm
stuck. Natd works great otherwise. Any suggestions?

Specifics:

Internal 192.168.1.x LAN going through freebsd 4.4 release gateway 192.168.1.1

firewall rules (security isn't really a top concern of mine): 
00050 divert 8668 ip from any to any via ex0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

natd.conf:
deny_incoming no
dynamic yes
use_sockets yes
same_ports yes
# redirect web to internal
redirect_port tcp 192.168.1.2:80 80
redirect_port tcp 192.168.1.2:12000-12100 12000-12100
redirect_port udp 192.168.1.2:27910-27960 27910-27960

Those last 3 lines redirect http, icq, and quake 2 & 3 servers to my
internal machine 192.168.1.2

Sysctl variables changed:

net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 100
net.inet.ip.fw.dyn_fin_lifetime: 100
net.inet.ip.fw.dyn_rst_lifetime: 100
net.inet.ip.fw.dyn_short_lifetime: 100

from defaults

net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 20
net.inet.ip.fw.dyn_rst_lifetime: 5
net.inet.ip.fw.dyn_short_lifetime: 5

Thanks in advance to any suggestions or ideas; naturally I'll happily
supply more information about the configuration if it helps.

Zev Thompson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.20011022182522.01726780>