Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Mar 2003 01:29:34 -0500
From:      "Scot" <>
To:        "Ruslan Ermilov" <ru@FreeBSD.ORG>, "Scot" <>
Cc:        ipfw@FreeBSD.ORG
Subject:   SUMMARY: Natd stops working on Firewall
Message-ID:  <>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Thanks to all who posted. Thanks Ruslan for the answer !
Simpel fix as Ruslan Explained. just add ...

        ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
        ${fwcmd} add pass ip from ${oip} to any out via ${oif}
        ${fwcmd} add pass ip from any to ${inet}:${imask}

at the end of the SIMPLE section of rc.firewall. I added them just before

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.

Yes I know, Now that I know it works I need to make it more resticted.

The details of what started this thread.

Following the FreeBSD Online handbook at
I setup my firewall (initially) using the following rc.conf  subsettings

Added my DHCP ip and Local network to rc.firewall SIMPLE section and
wala. It worked. But only for a little while. No logs or anything as to
Hence the post and kind response below.

 I added 15 lines of code to rc.firewall to dynamicly handle a DHCP
address if you intrested here it is. I know my coding sucks but it works.
 # set these to your outside interface network and netmask and ip
    eval CHDHCP=\${ifconfig_$oif}
    if [ ${CHDHCP} = "DHCP" -a -r /var/db/dhclient.leases ];then
       oip=`grep fixed-address ${lease}|cut -d\; -f1|awk '{print
$2}'|tail -1`
       omask=`grep subnet-mask ${lease}|cut -d\; -f1|awk '{print
$3}'|tail -1`
       shortonet=`echo "$oip"|cut -d. -f1,2,3`
       echo "DHCP onet  = $onet"
       echo "DHCP omask = $omask"
       echo "DHCP oip   = $oip"
       sleep 4
       # Add static address here

-----Original Message-----
From: owner-freebsd-stable@FreeBSD.ORG
[mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Ruslan Ermilov
Sent: Tuesday, March 25, 2003 4:20 AM
To: Scot
Cc: FreeBSD Stable; ipfw@FreeBSD.ORG
Subject: Re: Natd stops working on Firewall

On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;
> Just setup my FreeBSD 4.7 Firewall using the docs
> outlined in the handbook.
What docs you have used to set up the firewall?

> The install went on and
> everything seems to be working fine then boom.
> The system seems to stop routing traffic. No
> messages in the security log or natd log as to why.
> I made sure it was logging by nmaping my box from the
> outside. I even ran natd in the foreground and it still didn't
> tell me what was going on.
> There is nothing in any logfile that tells me why this thing
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.
> I cannot ping the interface from the internal network but tcpdump shows
> the packets being received. (Hub network firewall_type=SIMPLE ).
> If I logon to the console the cable modem connection is still functioning
> and I can surf from the firewall.
> Any ideas on where to look next ??
> Cable modem using dhcp -> 192.168 home network on
> PPro w/280 MB ram.
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces.
> Standard Xuser install + Kernel sources.
I've been through this just recently.  Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.

The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:

${inet}:${imask} -> some_host (in  via ${iif})
${oip}           -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in  via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})

(This assumes that you NAT using ${oip}, which is not always
the case.)

So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:

${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}

Ruslan Ermilov		Sysadmin and DBA,		Sunbay Software AG,		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine	The Power To Serve	Enabling The Information Age

Want to link to this message? Use this URL: <>