From owner-freebsd-questions Tue Feb 1 0:30:11 2000 Delivered-To: freebsd-questions@freebsd.org Received: from relay.ucb.crimea.ua (UCB-Async4-CRISCO.CRIS.NET [212.110.129.130]) by builder.freebsd.org (Postfix) with ESMTP id 4EB653D62 for ; Tue, 1 Feb 2000 00:29:31 -0800 (PST) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id XAA24042; Mon, 31 Jan 2000 23:47:18 +0200 (EET) (envelope-from ru) Date: Mon, 31 Jan 2000 23:47:18 +0200 From: Ruslan Ermilov To: John Cc: zimon@iki.fi, freebsd-questions@FreeBSD.ORG Subject: Re: NATD/Divert broken ? Message-ID: <20000131234718.A20463@relay.ucb.crimea.ua> Mail-Followup-To: John , zimon@iki.fi, freebsd-questions@FreeBSD.ORG References: <4.1.20000131123443.00975da0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu> <20000131193116.A72155@relay.ucb.crimea.ua> <4.1.20000131123443.00975da0@mail.udel.edu> <20000131215456.B97751@relay.ucb.crimea.ua> <4.1.20000131145859.0096fed0@mail.udel.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <4.1.20000131145859.0096fed0@mail.udel.edu>; from John on Mon, Jan 31, 2000 at 03:03:19PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jan 31, 2000 at 03:03:19PM -0500, John wrote: > > >> >> ****** > >> >> Failed connection, with divert rule in place: > >> >> ****** > >> >> > >> >> 12:01:10.744362 merlin.wondermutt.net.3482 > > >merlin.wondermutt.net.39536: S > >> >> 1027967984:1027967984(0) win 16384 >> >> > >> >[...] > >> >Can you show me the above in numerical form (with -n), with the output of > >> >the following commands: > >> > >> Sure can :) > >> > >[...] > >> >* ipfw show > >> merlin# ipfw show > >> 00075 227 21816 divert 8668 ip from any to any via fxp1 > >> 00150 18596 3000493 allow ip from any to any via fxp0 > >> 00200 0 0 deny ip from any to 127.0.0.0/8 recv fxp1 > >> 00300 22 1233 allow ip from 192.168.0.0/16 to any out xmit fxp1 > >> 00400 1205 1317527 allow ip from any to 192.168.0.0/16 in recv fxp1 > >> 65000 250 22128 allow ip from any to 128.175.75.157 in recv fxp1 > >> 65100 1380 78451 allow ip from 128.175.75.157 to any out xmit fxp1 > >> 65535 1659 185195 deny ip from any to any > >> > >I don't believe that just removing rule 75 fixes the problem. > >Please add the following (from the stock rc.firewall) two rules > >right after the `divert' one and beforeany other: > > > >############ > ># Only in rare cases do you want to change these rules > >$fwcmd add 100 pass all from any to any via lo0 > >$fwcmd add 200 deny all from any to 127.0.0.0/8 > > > >Let me know if this helps. > > > My apologies... what you saw was the results of me messing around with the > firewall rules for 3 days :) I pasted an incorrect copy to you. Here is > my current config: > > 00075 1814 194224 divert 8668 ip from any to any via fxp1 > 00100 388 49438 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00250 697 44297 allow ip from any to any via fxp0 > 00300 56 3096 allow ip from 192.168.0.0/16 to any out xmit fxp1 > 00400 1456 1373711 allow ip from any to 192.168.0.0/16 in recv fxp1 > 65000 1204 125994 allow ip from any to 128.175.75.157 in recv fxp1 > 65100 2707 211644 allow ip from 128.175.75.157 to any out xmit fxp1 > 65535 1928 210215 deny ip from any to any > > And believe it or not, simply removing the 00075 line DOES cure the problem > (while disabling my internal net). With the rule in place, netstat -a shows: > > tcp 0 0 merlin.3587 merlin.39474 SYN_SENT > tcp 0 0 *.39474 *.* CLOSED > > For some reason, the port is being closed before the connection can be made. > > Correcting rule 00100 and 00200 did not cure the problem though :/ If you > need more info from me, please let me know. > 1. Send me the output of `sysctl net.inet'. 2. Add the `log' keyword to rules 75 and 65535. 3. Run `natd' manually with `-v' flag, and script(1) its output. 4. Make `ping -c1 merlin' from `merlin'. 5. Send me the `dmesg' output (ipfw related), natd's script output, and ping's output. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message