Date: Mon, 31 Jan 2000 21:54:56 +0200 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: John <papalia@udel.edu> Cc: zimon@iki.fi, freebsd-questions@FreeBSD.ORG Subject: Re: NATD/Divert broken ? Message-ID: <20000131215456.B97751@relay.ucb.crimea.ua> In-Reply-To: <4.1.20000131123443.00975da0@mail.udel.edu>; from John on Mon, Jan 31, 2000 at 02:23:34PM -0500 References: <4.1.20000131120328.009749c0@mail.udel.edu> <4.1.20000131120328.009749c0@mail.udel.edu> <20000131193116.A72155@relay.ucb.crimea.ua> <4.1.20000131123443.00975da0@mail.udel.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 31, 2000 at 02:23:34PM -0500, John wrote: > >> Hey all, > >> > >> I'm having a small problem with my NATD and my firewall. Per the > >> instructions in "The Complete FreeBSD", I added the firewall rule: > >> > >> divert natd ip from any to any via fxp1 > >> > >> The problem is that this rule is causing partial problems on my loopback > >> device (lo0). > >> > >> What happens is that with the rule in place, for some connections within > >> the box (which definitely go thru lo0), the connections fail. If I remove > >> that rule, then the connections within the box can be made, but then I lose > >> all ability to host my internal 192.168. net. > >> > >> I have done tcpdumps of both the successful and unsuccessful connections > >> and have pasted them below. If the actual tcpdump files would be useful, I > >> can attach those to a subsequent email. > >> > >> Also, I'm currently running 3.3 and am suffering from NO other apparent > >> problems with lo0 that I can tell. > >> > >> tcpdumps are below. > >> > >> Thanks in advance, > >> John > >> > > > >> ****** > >> Failed connection, with divert rule in place: > >> ****** > >> > >> 12:01:10.744362 merlin.wondermutt.net.3482 > merlin.wondermutt.net.39536: S > >> 1027967984:1027967984(0) win 16384 <mss 16344,nop,wscale 0,nop,no > >> > >[...] > >Can you show me the above in numerical form (with -n), with the output of > >the following commands: > > Sure can :) > [...] > >* ipfw show > merlin# ipfw show > 00075 227 21816 divert 8668 ip from any to any via fxp1 > 00150 18596 3000493 allow ip from any to any via fxp0 > 00200 0 0 deny ip from any to 127.0.0.0/8 recv fxp1 > 00300 22 1233 allow ip from 192.168.0.0/16 to any out xmit fxp1 > 00400 1205 1317527 allow ip from any to 192.168.0.0/16 in recv fxp1 > 65000 250 22128 allow ip from any to 128.175.75.157 in recv fxp1 > 65100 1380 78451 allow ip from 128.175.75.157 to any out xmit fxp1 > 65535 1659 185195 deny ip from any to any > I don't believe that just removing rule 75 fixes the problem. Please add the following (from the stock rc.firewall) two rules right after the `divert' one and beforeany other: ############ # Only in rare cases do you want to change these rules $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 Let me know if this helps. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000131215456.B97751>