Date: Fri, 28 May 2010 12:10:08 -0700 (PDT) From: Casey Scott <casey@phantombsd.org> To: freebsd-questions@freebsd.org Subject: ipfw/natd in 8.1 Message-ID: <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org> In-Reply-To: <348704227.241.1275069787043.JavaMail.root@spitfire.phantombsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Since a rebuild to FBSD 8.1, I can't get natd to function correctly. Below is my ipfw config. It closely follows the example in the Handbook. http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html (30.6.5.7 An Example NAT and Stateful Ruleset -- Ruleset #1) firewall config (logging enabled temporarily while troubleshooting) ============================================================================ 00003 16133 2323153 allow ip from any to any via em0 00004 672 144006 allow ip from any to any via lo0 00100 96 5322 divert 8668 log ip from any to any in via fxp0 00101 0 0 check-state 00120 64 4542 skipto 500 log udp from any to any out via fxp0 keep-state 00125 203 49916 skipto 500 log tcp from any to any out via fxp0 setup keep-state 00130 26 2184 skipto 500 icmp from any to any out via fxp0 keep-state 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0 00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0 00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0 00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0 00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0 00400 10 1306 allow log udp from any to any dst-port 53,123 in keep-state 00401 0 0 allow log icmp from any to any icmptypes 0,3,11 00420 9 1112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20 00450 24 876 deny log logamount 10000 ip from any to any 00500 293 56642 divert 8668 log ip from any to any 00510 78 21591 allow log ip from any to any 65535 262 18726 deny ip from any to any ============================================================================ /etc/natd.conf ============================================================================ use_sockets same_ports unregistered_only interface fxp0 ============================================================================ Natd only properly NATs the first packet out: # /sbin/natd -v -f /etc/natd.conf Loading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Loading /lib/libalias_nbt.so Loading /lib/libalias_pptp.so Loading /lib/libalias_skinny.so Loading /lib/libalias_smedia.so natd[10702]: Aliasing to 74.94.69.225, mtu 1500 bytes Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 74.94.69.225:61447 -> 65.61.153.152:80 In {default}[TCP] [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 In {default}[TCP] [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 In {default}[TCP] [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 In {default}[TCP] [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 I'm not sure why this happens! Same config worked w/ FBSD 7x. TIA, Casey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1817830139.243.1275073808262.JavaMail.root>