Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Mar 2003 01:29:34 -0500
From:      "Scot" <scotrn@cox.net>
To:        "Ruslan Ermilov" <ru@FreeBSD.ORG>, "Scot" <scotrn@cox.net>
Cc:        ipfw@FreeBSD.ORG
Subject:   SUMMARY: Natd stops working on Firewall
Message-ID:  <PAEEIJCHPFHEDADDGJFLKELMDNAA.scotrn@cox.net>
In-Reply-To: <20030325092007.GB73657@sunbay.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Thanks to all who posted. Thanks Ruslan for the answer !
Simpel fix as Ruslan Explained. just add ...

        ${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
        ${fwcmd} add pass ip from ${oip} to any out via ${oif}
        ${fwcmd} add pass ip from any to ${inet}:${imask}

at the end of the SIMPLE section of rc.firewall. I added them just before

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.
        ;;
[Cc][Ll][Oo][Ss][Ee][Dd])


Yes I know, Now that I know it works I need to make it more resticted.

The details of what started this thread.

Following the FreeBSD Online handbook at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
I setup my firewall (initially) using the following rc.conf  subsettings
ifconfig_fxp0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
natd_interface="fxp0"
natd_flags=""

Added my DHCP ip and Local network to rc.firewall SIMPLE section and
wala. It worked. But only for a little while. No logs or anything as to
why...
Hence the post and kind response below.

Also:
 I added 15 lines of code to rc.firewall to dynamicly handle a DHCP
address if you intrested here it is. I know my coding sucks but it works.
--------------------------------------------------------------------------
 # set these to your outside interface network and netmask and ip
    oif="fxp0"
    eval CHDHCP=\${ifconfig_$oif}
    if [ ${CHDHCP} = "DHCP" -a -r /var/db/dhclient.leases ];then
       lease="/var/db/dhclient.leases"
       oip=`grep fixed-address ${lease}|cut -d\; -f1|awk '{print
$2}'|tail -1`
       omask=`grep subnet-mask ${lease}|cut -d\; -f1|awk '{print
$3}'|tail -1`
       shortonet=`echo "$oip"|cut -d. -f1,2,3`
       onet="$shortonet.0"
       echo "DHCP onet  = $onet"
       echo "DHCP omask = $omask"
       echo "DHCP oip   = $oip"
       sleep 4
    else
       # Add static address here
       onet="xxx.xxx.xxx.0"
       omask="255.255.255.0"
       oip="xxx.xxx.xxx.xxx"
    fi


-----Original Message-----
From: owner-freebsd-stable@FreeBSD.ORG
[mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Ruslan Ermilov
Sent: Tuesday, March 25, 2003 4:20 AM
To: Scot
Cc: FreeBSD Stable; ipfw@FreeBSD.ORG
Subject: Re: Natd stops working on Firewall


On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;
>
> Just setup my FreeBSD 4.7 Firewall using the docs
> outlined in the handbook.
>
What docs you have used to set up the firewall?

> The install went on and
> everything seems to be working fine then boom.
> The system seems to stop routing traffic. No
> messages in the security log or natd log as to why.
>
> I made sure it was logging by nmaping my box from the
> outside. I even ran natd in the foreground and it still didn't
> tell me what was going on.
>
> There is nothing in any logfile that tells me why this thing
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.
>
> I cannot ping the interface from the internal network but tcpdump shows
> the packets being received. (Hub network firewall_type=SIMPLE ).
>
> If I logon to the console the cable modem connection is still functioning
> and I can surf from the firewall.
>
> Any ideas on where to look next ??
>
>
> Cable modem using dhcp -> 192.168 home network on
> PPro w/280 MB ram.
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces.
> Standard Xuser install + Kernel sources.
>
I've been through this just recently.  Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.

The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:

${inet}:${imask} -> some_host (in  via ${iif})
${oip}           -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in  via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})

(This assumes that you NAT using ${oip}, which is not always
the case.)

So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:

${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}


Cheers,
--
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?PAEEIJCHPFHEDADDGJFLKELMDNAA.scotrn>