Date: Wed, 10 Oct 2001 21:10:55 -0500 From: David Kelly <dkelly@hiwaay.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, natd, and one big headache Message-ID: <200110110210.f9B2Atw99386@grumpy.dyndns.org> In-Reply-To: Message from Louis LeBlanc <leblanc%2Bfreebsd@smtp.ne.mediaone.net> of "Wed, 10 Oct 2001 21:29:43 EDT." <20011010212942.A1037@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Louis LeBlanc writes:
> Ok, I'm ready to lose it here.
> =
> I finally have a firewall that doesn't appear to close anything off,
> and I know it opens those things I want opened, like outgoing ping,
> traceroute, incoming HTTP, HTTPS, IMAP, SMTP, etc. I take the script
> and source it one everything is up and dhclient is set, and it's all
> good.
What does the above script say about ports 67 and 68? Hint:
# allow DHCP stuff
${fwcmd} add pass udp from 24.214.63.26 67 to any 68 in via ${nic=
}
${fwcmd} add pass udp from me 68 to 24.214.63.26 67 out via ${nic=
}
> And Natd. All I get out of that is
> Oct 10 21:08:31 acadia natd[396]: failed to write packet back (Permissi=
on denied)
> in the console log.
> =
> I have the following in /etc/rc.conf:
> natd_program=3D"/sbin/natd"
> natd_interface=3D"xl0"
> natd_enable=3DYES
> natd_flags=3D"-unregistered_only -use_sockets -same_ports"
> =
> and I have also tried using natd flags set instead to '-f /etc/natd.con=
f'
> which has:
> =
> dynamic yes
> log no
> deny_incoming no
> use_sockets yes
> same_ports yes
> verbose no
> interface xl0
> unregistered_only no
I suggest adding "-log_facility security" to natd so that both natd and =
ipfw report to the same place. Namely /var/log/security.
The best way to debug ipfw that I've found is to throw "log" modifiers =
at all suspected blocking rules. Is easy to insert a new copy of the =
rule with "log" added just before the current rule. =
Doesn't hurt anything to have two identical rules in a row. Later for
cleanup you can simply delete the debugging log rules. I let my rules
autonumber on insert. Steps by 100. So temporary debugging rules are
often xx50 or xx90. Easy to spot and remove.
No need to reboot to debug your firewall and dhclient. Simply kill =
dhclient and start it again with "dhclient xl0"
Use "ipfw zero" just before you restart dhclient. Then if you didn't =
log the problems, "ipfw -a list" should indicate which rules got hits =
since the zero. Then you have an idea where the dhcp packets are =
being stopped.
-- =
David Kelly N4HHE, dkelly@hiwaay.net
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110110210.f9B2Atw99386>