Date: Wed, 13 Dec 2000 10:23:46 +0200 From: Ruslan Ermilov <ru@sunbay.com> To: Elliott Perrin <eperrin@bigorbit.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problem with Natd and IPFW Message-ID: <20001213102346.A76652@sunbay.com> In-Reply-To: <008401c064dd$7233c7c0$0c01a8c0@bottleneck2000>; from eperrin@bigorbit.com on Wed, Dec 13, 2000 at 03:19:42AM -0500 References: <008401c064dd$7233c7c0$0c01a8c0@bottleneck2000>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 13, 2000 at 03:19:42AM -0500, Elliott Perrin wrote: > So here is the scenario, I have a FreeBSD box configured > with three interfaces, one to the Net, one to the LAN where > our public servers sit, and one to the local LAN. It is a > FreeBSD 4.1 box. Our public servers have routable addresses, > so natd is running with the -u flag so that only the Local > LAN gets translated. The kernel was compiled so without the > default to accept option in the firewall. > > If the firewall is running without an allow all from any to > any rule, natd complains with the > > natd failed to write packet back (permission denied) error > > and the local LAN cannot get anywhere out of the office. > They can still get to our public servers, but they cannot go > anywhere on the Internet. Once the allow ip from any to any > rule is specified the problem clears up right away. (which > obviously makes sense) To give you an idea of where natd is > in the ruleset, I have provided a chunk of the rules below > (taken from ipfw -a list) > > 00100 allow ip from any to any in recv lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 192.168.1.0/24 to any in recv ed0 > 00400 deny ip from xxx.xxx.xxx.xxx/28 to any in recv ed0 > 00500 deny ip from 192.168.1.0/24 to any in recv fxp0 > 00600 deny ip from xxx.xxx.xxx.xxx/28 to any in recv xl0 > 00700 deny ip from xxx.xxx.xxx.xxx/29 to any in recv > fxp0 > 00800 deny ip from xxx.xxx.xxx.xxx/29 to any in recv xl0 > 00900 deny ip from any to 10.0.0.0/8 via ed0 > 01000 deny ip from any to 172.16.0.0/12 via ed0 > 01100 deny ip from any to 192.168.0.0/16 via ed0 > 01200 deny ip from any to 0.0.0.0/8 via ed0 > 01300 deny ip from any to 169.254.0.0/16 via ed0 > 01400 deny ip from any to 192.0.2.0/24 via ed0 > 01500 divert 8668 ip from any to any via ed0 > 01600 deny ip from 10.0.0.0/8 to any via ed0 > 01700 deny ip from 172.16.0.0/12 to any via ed0 > 01800 deny ip from 192.168.0.0/16 to any via ed0 > 01900 deny ip from 0.0.0.0/8 to any via ed0 > 02000 deny ip from 169.254.0.0/16 to any via ed0 > 02100 deny ip from 192.0.2.0/24 to any via ed0 > > Now, I decided to run natd with the -v flag to see if I > could find out what the hell was going on. When I was > running it without an allow ip from any to any rule, I would > see aliasing from the local LAN to the external address, but > no aliasing on packets coming back in. When the rule allow > ip from any to any is declared, I can see the translation > going both in and out. > I do not see any ``allow'' rules expect the first (lo0) one. Do you have these? -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001213102346.A76652>