Re: NetBSD ipnat problems

Mon, 07 Nov 2005 08:08:41 -0800 

Guys,

I figured it out.

tlp0 should have been ex0 in the /etc/ipnat.conf

Sorry to have wasted your time.


Steve Pribyl
Steve AT NetFuel dot com
Computer Infrastructure Practitioner


Steve Pribyl wrote:

For some reason the firewall I am building is no longer doing nat.
I think the tcpdump for ex0 at the bottom should say from 168.192.136.13 not 10.16.1.100. Can't figure out why. 

Any debugging help would be appreciated.

# ipf -V
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
Feature mask: 0xa
# uname -a
NetBSD newton 2.1 NetBSD 2.1 (FIREWALL) #1: Sun Nov 6 20:56:13 CST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/FIREWALL i386 

ipnat.conf
# -------------------------------------------------------------------------
# Use ipfilter ftp proxy for ftp client transfers mode: active
map tlp0 10.16.1.0/24 -> 0/32 proxy port ftp ftp/tcp

# Map all tcp and udp connections from 192.168.1.0/24 to external IP addres
# changing the source port number to something between 40,000 and 60,000 in ve 
map tlp0 10.16.1.0/24 -> 0/32 portmap tcp/udp 40000:60000

# For all other IP packets, map to the external IP address
map tlp0 10.16.1.0/24 -> 0/32

/etc/ipf.conf
pass in all
pass out all

/etc/sysctl.conf
net.inet.ip.forwarding=1

# netstat -rn
Routing tables

ex0 is external nic
tlp0 is internal nic


# ifconfig -a
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:5a:4a:a4:5f
        media: Ethernet none (none)
        inet 10.16.1.1 netmask 0xffffff00 broadcast 10.16.1.255
ex0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
        enabled=0
        address: 00:50:da:2d:be:3a
        media: Ethernet none (none)
        inet 168.192.136.13 netmask 0xffffff00 broadcast 168.192.136.255
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33196
        inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500

Internet:
Destination   Gateway            Flags     Refs     Use    Mtu  Interface
default       64.81.136.1        UGS         1      671      -  ex0
10.16.1/24    link#1             UC          2        0      -  tlp0
10.16.1.10    link#1             UHLc        0        1      -  tlp0
10.16.1.100   link#1             UHLc        1        2      -  tlp0
168.192.136/24  link#2             UC          2        0      -  ex0
168.192.136.1   00:90:1a:40:8f:c8  UHLc        1        0      -  ex0
127/8         127.0.0.1          UGRS        0        0  33196  lo0
127.0.0.1     127.0.0.1          UH          1        4  33196  lo0


On an internal node (10.16.1.100)
ping yahoo.com

On the netbsd box.
tcpdump tlp0 host 10.16.1.100
tcpdump: listening on tlp0
09:49:22.760785 10.16.1.1.40005 > 10.16.1.100.ssh: P 1608206970:1608207018(48) ack 3894317329 win 65535 (DF) [tos 0x10] 09:49:22.763303 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:22.763442 10.16.1.100.ssh > 10.16.1.1.40005: P 1:49(48) ack 48 win 8704 (DF) [tos 0x10] 09:49:22.960039 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 49 win 65535 (DF) [tos 0x10] 09:49:27.767555 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:32.777534 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:37.787634 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:42.797797 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:49:47.807714 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:49:52.817867 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:49:57.829560 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:50:02.839068 10.16.1.100.ssh > 10.16.1.1.40005: P 49:145(96) ack 48 win 8704 (DF) [tos 0x10] 09:50:02.839078 10.16.1.100.ssh > 10.16.1.1.40005: P 145:209(64) ack 48 win 8704 (DF) [tos 0x10] 09:50:02.839236 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 209 win 65535 (DF) [tos 0x10] 

# tcpdump -i ex0 host 10.16.1.100
tcpdump: listening on ex0
09:49:22.763379 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:27.767619 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:32.777595 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:37.787690 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 38987+ A? yahoo.com. (27) (DF) 09:49:42.797853 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:49:47.807770 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:49:52.817983 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF) 09:49:57.829617 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 38988+ A? yahoo.com. (27) (DF)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to