Re: Problems using natd to access internal webserver

[Lowell Gilbert]

Clayton F <[EMAIL PROTECTED]> writes:

>   pass in quick on fxp0 proto tcp from any to any port = 5500 keep state

That looks like an ipfilter rule, not ipfw.
Are you trying to use ipfilter with natd?  
That isn't a good idea...
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Problems using natd to access internal webserver

[Andras Kende]

I think it's your firewall's "keep state" is the problem.
Here is some examples which works great for me:


This is working example:

/etc/rc.conf
gateway_enable="YES"
natd_enable=yes
natd_interface=fxp0
natd_flags="-f /etc/rc.natd"
firewall_enable=YES
firewall_script="/etc/rc.firewall"

/etc/rc.natd
redirect_port tcp 10.1.1.18:80 8000

/etc/rc.firewall
$fwcmd add allow log tcp from any to any 8000 setup

/ kernel
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT


Best regards,

Andras Kende
http://www.kende.com




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clayton F
Sent: Tuesday, November 25, 2003 3:12 AM
To: [EMAIL PROTECTED]
Subject: Problems using natd to access internal webserver

I am having trouble using natd to redirect incoming http requests to an 
internal web server. My ISP blocks incoming port 80 (the dogs!), so the 
browser needs to send its request on an unprivileged port - I chose 
port 5500

So in my web browser I enter url http://www.mydomain.com:5500/

My rc.conf sets up the natd redirect as as follows:

natd_enable="YES"
natd_interface="fxp0"
natd_flags="-redirect_port tcp 192.168.1.99:80 5500"

my firewall explicitly allows port 5500 entry as follows:

pass in quick on fxp0 proto tcp from any to any port = 5500 keep
state


But when I point my web browser at port 5500, I get the following: 
"Could not open the page "http://www.mydomain.com:5500/"; because Safari 
couldn't connect to the server "www.mydomain.com".


With tcpdump set to listen on port 5500 I get the following output:

01:06:19.345827 e-66-117-83-2.empnet.net.12488 > 
bc120155.bendcable.com.5500: S 3657164703:3657164703(0) win 65535  (DF)
01:06:19.345988 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.12488: R 0:0(0) ack 3657164704 win 0
01:06:19.390964 e-66-117-83-2.empnet.net.4458 > 
bc120155.bendcable.com.5500: S 2671871142:2671871142(0) win 65535  (DF)
01:06:19.391015 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.4458: R 0:0(0) ack 2671871143 win 0
01:06:19.434339 e-66-117-83-2.empnet.net.55900 > 
bc120155.bendcable.com.5500: S 2109062641:2109062641(0) win 65535  (DF)
01:06:19.434390 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.55900: R 0:0(0) ack 2109062642 win 0
01:06:19.479086 e-66-117-83-2.empnet.net.33048 > 
bc120155.bendcable.com.5500: S 1018302934:1018302934(0) win 65535  (DF)
01:06:19.479130 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.33048: R 0:0(0) ack 1018302935 win 0
01:06:19.522875 e-66-117-83-2.empnet.net.60586 > 
bc120155.bendcable.com.5500: S 26968154:26968154(0) win 65535  (DF)
01:06:19.523022 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.60586: R 0:0(0) ack 26968155 win 0
01:06:19.578958 e-66-117-83-2.empnet.net.57944 > 
bc120155.bendcable.com.5500: S 1035247753:1035247753(0) win 65535  (DF)
01:06:19.578993 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.57944: R 0:0(0) ack 1035247754 win 0
01:06:19.623151 e-66-117-83-2.empnet.net.57938 > 
bc120155.bendcable.com.5500: S 1144796038:1144796038(0) win 65535  (DF)
01:06:19.623189 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.57938: R 0:0(0) ack 1144796039 win 0
01:06:19.666940 e-66-117-83-2.empnet.net.27714 > 
bc120155.bendcable.com.5500: S 347489487:347489487(0) win 65535  (DF)
01:06:19.666985 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.27714: R 0:0(0) ack 347489488 win 0
01:06:19.709585 e-66-117-83-2.empnet.net.40754 > 
bc120155.bendcable.com.5500: S 1869973581:1869973581(0) win 65535  (DF)
01:06:19.709612 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.40754: R 0:0(0) ack 1869973582 win 0
01:06:19.756122 e-66-117-83-2.empnet.net.18348 > 
bc120155.bendcable.com.5500: S 3628283803:3628283803(0) win 65535  (DF)
01:06:19.756152 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.18348: R 0:0(0) ack 3628283804 win 0
01:06:19.804295 e-66-117-83-2.empnet.net.52446 > 
bc120155.bendcable.com.5500: S 3652608703:3652608703(0) win 65535  (DF)
01:06:19.804377 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.52446: R 0:0(0) ack 3652608704 win 0
01:06:19.847865 e-66-117-83-2.empnet.net.18192 > 
bc120155.bendcable.com.5500: S 238075128:238075128(0) win 65535  (DF)
01:06:19.847897 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.18192: R 0:0(0) ack 238075129 win 0
01:06:19.891162 e-66-117-83-2.empnet.net.25176 > 
bc120155.bendcable.com.5500: S 60109903:60109903(0) win 65535  (DF)
01:06:19.891206 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.25176: R 0:0(0) ack 60109904 win 0
01:06:19.934624 e-66-117-83-2.empnet.net.41352 > 
bc120155.bendcable.com.5500: S 2942823322:2942823322(0) win 65535  (DF)
01:06:19.934652 bc120155.bendcable.com.5500 > 
e-66-117-83-2.empnet.net.41352: R 0:0(0) ack 2942823323 win 0
01:06:19.976920 e-66-117-83-2.empnet.net.25770 > 
bc1201