Date: Fri, 02 Jul 1999 13:58:37 -0700 From: Ludwig Pummer <ludwigp@bigfoot.com> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: Brian Somers <brian@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/natd natd.8 Message-ID: <4.1.19990702134305.0096be20@mail-r> In-Reply-To: <19990702151615.A29698@relay.ucb.crimea.ua> References: <4.1.19990701223654.0091eda0@mail-r> <199906210758.AAA59491@freefall.freebsd.org> <199906210758.AAA59491@freefall.freebsd.org> <19990701170841.A35816@relay.ucb.crimea.ua> <4.1.19990701223654.0091eda0@mail-r>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:16 AM 7/2/1999 , Ruslan Ermilov wrote: >> Let me restate what I originally said/meant to say: >> I have a machine doing natd. It has an internal network address >> 172.16.1.5/24 and an external network address of 24.2.21.36/24. If I do >> 'redirect_port tcp 172.16.1.30:80 80' and then try to point my web browser >> (from a machine in the 172.16.1.5/24 network) at http://24.2.21.36:80, it >> will not reach 172.16.1.30:80. If, however, I point my web browser (from a >> machine on the internet) at http://24.2.21.36:80, it _will_ reach >> 172.16.1.30:80. >> >Ah, I see now what did you mean, but you're wrong anyway. >It works(!) even in such configuration, look what I did: > >Host running natd: > >(internal interface 192.168.1.1/24) >fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > >(external interface 212.110.138.1/28) >fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 212.110.138.1 netmask 0xfffffff0 broadcast 212.110.138.15 > ># ipfw list 1 >00001 divert 6666 tcp from any to any 80 >00001 divert 6666 tcp from any 80 to any > >*** Note that there are no "via" keywords, otherwise it will not work. Bingo. I made my suggestion because if you set up natd according to the manpage, there is a 'via' keyword in the ipfw rule (and rc.firewall's natd rule also has 'via'). In those cases, "it will not work." I was concerned that newbies who set up natd "by the book" and then tested their configurations would be confused. Maybe I should point out that the natd manpage I'm looking at is from 15 April 1997. uname -a: toy.chip-web.com 3.1-STABLE FreeBSD 3.1-STABLE #0: Thu Mar 4 18:28:40 PST 1999 root@toy.chip-web.com:/usr/src/sys/compile/TOY i386 >> I felt that despite this being logical according to routing and the way the >> ipfw rule is written**, this was worth pointing out. Otherwise, many >> newbies setting up natd for the first time would do something very similar >> to my example above, and become disappointed/discouraged/confused when they >> can't connect to http://24.2.21.36:80 from their inside machine. I came to >> this conclusion after helping someone with natd over ICQ, and then >> recalling that I had similar problems when I was first playing with natd. >> >I hope you're ready to do it now! Well, yeah. I've had natd set up and running over a year and a half now, first with usermode ppp and then with 2.2.5-R's natd. ... (snipped inport, outport, aliasing explanation) ... >One important thing that should be taken into the account is the ipfw's >configuration. You should make sure to configure it properly, I think >you understood this from my example. Yes, I understand your point. Let me just say again that if ipfw is configured according to the natd manpage, then you will have the issue I first pointed out. That's why I felt adding this little "gotcha" to the manpage was worth it. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990702134305.0096be20>