Re: natd / ipfw services on internal interface (Ivan Voras)
Joe wrote: I have a question about natd/ and ipfw. I am running natd on my external interface and I have some services on my internal interface. The services seem to be getting their ip addresses nat'd and some of them work and some of them dont. Any idea how to prevent things from going into natd? You should specify more information about your setup, but generally you should be able to just insert a rule like ipfw add xxx allow ip from mynet/mask to mynet/mask, where xxx is the rule-number BEFORE your natd redirection rule-number and mynet/mask describes your internal network. I think I figured it out after a lot of searching. It turns out that when I installed it I accidentally enabled USE_SOCKETS on a non-jailed dhcp server. The only information I found was a post or bug that said if you enable USE_SOCKETS on a non jailed server, you could have unexpected results. The actual results are that your network traffic will be screwed up. Joe - Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd / ipfw services on internal interface
I figured out what the problem was. I had compiled my dhcp server with USE_SOCKETS and am NOT running in a jail. After a lot of searching the bug reports I came across an old bug that said that USE_SOCKETS was added for jailed dhcp servers, because they do not have access to bpf. It also said that compiling USE_SOCKETS into a non jailed dhcp server will have unpredictable results. I found out that the server will behave badly like it is being sent through nat out our the wrong port. gt; You should specify more information about your setup, but generally you gt; should be able to just insert a rule like quot;ipfw add xxx allow ip from gt; mynet/mask to mynet/maskquot;, where quot;xxxquot; is the rule-number BEFORE your gt; natd redirection rule-number and mynet/mask describes your internal network. Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd / ipfw services on internal interface
Joe wrote: I have a question about natd/ and ipfw. I am running natd on my external interface and I have some services on my internal interface. The services seem to be getting their ip addresses nat'd and some of them work and some of them dont. Any idea how to prevent things from going into natd? You should specify more information about your setup, but generally you should be able to just insert a rule like ipfw add xxx allow ip from mynet/mask to mynet/mask, where xxx is the rule-number BEFORE your natd redirection rule-number and mynet/mask describes your internal network. signature.asc Description: OpenPGP digital signature
natd / ipfw services on internal interface
I have a question about natd/ and ipfw. I am running natd on my external interface and I have some services on my internal interface. The services seem to be getting their ip addresses nat'd and some of them work and some of them dont. Any idea how to prevent things from going into natd? Joe - Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple natd + ipfw
Hello Unix-Solutions, Friday, January 27, 2006, 3:44:46 PM, you wrote: google BGP -- Best regards, Playnetmailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Multiple natd + ipfw
Hi you guy's, I have a little problem with my natd or ipfw configuration. Current situation: ISP1 = Telenet (Belgium) Speed: 20 mbit/s down 1 mbit/s upload We get ip via dhcp ISP2 = Versatel (Belgium) Speed: 1 mbit/s down 1 mbit/s upload We have a range with static ip's Versatel is our backup ISP because this line is very slow Currently we are running on telenet but we want to switch to versatel when telenet is down. Config that works: TELENET -- ROUTER VERSATEL -- ROUTER ROUTER -- INTERNAL NETWORK RC.conf: # 84.195.224.254 -- gateway of telenet defaultrouter=84.195.224.254 hostname=router.intranet.local ifconfig_fxp0=inet 192.168.2.254 netmask 255.255.255.0 # VERSATEL ifconfig_xl0=inet 62.166.141.36 netmask 255.255.255.248 # TELENET ifconfig_xl1=DHCP gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_logging=YES firewall_script=/etc/ipfw.rules natd_enable=YES natd_interface=xl1 natd_flags=-f /etc/natd.conf IPFW.rules: ipfw -f flush ipfw add 1 divert natd ip from any to any via xl1 ipfw add 2 divert natd ip from any to 62.166.141.32/29 via xl0 ipfw add 4 allow ip from any to any via lo0 ipfw add 5 deny ip from any to 127.0.0.0/8 ipfw add 6 deny ip from 127.0.0.0/8 to any ipfw add 7 allow ip from any to any Now I want to add 192.168.2.253 as alias on the FXP0 and when a PC on my internal network sets his gateway to 192.168.2.253 I want that this PC takes the versatel route. How is this possible ? I'm currently followed this manual = http://www.opennet.ru/base/net/freebsd_2x_natd.txt.html I translated it with babelfish = http://pub.beenske.be/docs/dual-natd+ipfw.txt Config files: RC.conf: # 84.195.224.254 -- gateway of telenet defaultrouter=84.195.224.254 hostname=router.intranet.local ifconfig_fxp0=inet 192.168.2.254 netmask 255.255.255.0 ifconfig_fxp0_alias0=inet 192.168.2.253 netmask 255.255.255.255 # VERSATEL ifconfig_xl0=inet 62.166.141.36 netmask 255.255.255.248 # TELENET ifconfig_xl1=DHCP gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_logging=YES firewall_script=/etc/ipfw.rules natd_enable=YES natd_interface=xl1 natd_flags=-f /etc/natd.conf natd2_enable=YES natd2_interface=62.166.141.36 natd_flags=-f /etc/natd2.conf ipfw.rules: ipfw -f flush ipfw add 1 divert natd ip from any to any via xl1 ipfw add 2 divert natd ip from any to 62.166.141.32/29 via xl0 ipfw add 3 divert 8669 ip from 192.168.2.253 to any via xl0 ipfw add 4 allow ip from any to any via lo0 ipfw add 5 deny ip from any to 127.0.0.0/8 ipfw add 6 deny ip from 127.0.0.0/8 to any ipfw add 7 allow ip from any to any natd.conf natd2.conf: redirect_port tcp 192.168.2.30:3389 3389 (a windows pc that i want to access over RDP) Can you please help me ? Greetz, Steven Bens CEO Unix-Solutions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pureftpd can't work normally on pureftp--NATD--ipfw--FreeBSD 5.4
I use freebsd 5.4(with OPTION IPFW on and IPFIREWALL_DEFAULT_TO_ACCEPT on)+apache+pureftp+natd to setup a server used for ftp/web server and as a getway for share network too. My network like this: --(oip:x.x.x.a)-- | | (oif:em0)--| |--(internet getway:x.x.x.254) ^| | | ---(oip alias0:x.x.x.b)-- | | (iif:em1,iip:192.168.100.254)---(inet 192.168.100.254/16)---(intranet) I bind oip:x.x.x.a as httpd and pureftpd serverip,and use em0_aliase0(x.x.x.b) as natd's interface. And use of rc.firewall rule: 'open . So my intranet can share internet normaly through natd on x.x.x.b,and http server work normaly too.And the users of intranet(192.168.100.254/16) can visit pureftpd correctly. My problem is:the users of internet can't visited my pureftpd on x.x.x.a correctly,The debug information like below.From the erro,it's like that ipfw rule was wrong.If I cancel em0_alias0(x.x.x.b),and set natd_interface to (x.x.x.a),it work very well! Is there some one meet this problem before?Give me help please! = *** CuteFTP Pro 6.0 - build Mar 25 2004 *** STATUS:Getting listing ... STATUS:Resolving host name x.x.x.a... STATUS:Host name x.x.x.a resolved: ip = x.x.x.a. STATUS:Connecting to FTP server x.x.x.a:21 (ip = x.x.x.a)... STATUS:Socket connected. Waiting for welcome message... 220-- Welcome to Pure-FTPd [privsep] [TLS] -- 220-Local time is now 23:07. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:Connected. Authenticating... COMMAND: USER tmp 331 User tmp OK. Password required COMMAND: PASS * 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:Login successful. COMMAND: PWD 257 / is your current location STATUS:Home directory: / COMMAND: FEAT 211-Extensions supported: EPRT IDLE MDTM SIZE REST STREAM MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; MLSD ESTP PASV EPSV SPSV 211 End. STATUS:This site supports features. STATUS:This site supports SIZE. STATUS:This site can resume broken downloads. COMMAND: REST 0 350 Restarting at 0 COMMAND: PASV 227 Entering Passive Mode (x,x,x,a,158,251) STATUS:Connecting FTP data socket x.x.x.a:40699... ERROR: The connection failed due to an error or timeout. 1) Verify that the destination IP address is correct. .. 12) Verify that your anti-virus software is not at fault (try disabling it). ERROR: PASV failed, trying PORT. STATUS:Waiting 0 seconds... STATUS:Getting listing /... STATUS:Resolving host name x.x.x.a... STATUS:Host name x.x.x.a resolved: ip = x.x.x.a. STATUS:Connecting to FTP server x.x.x.a:21 (ip = x.x.x.a)... STATUS:Socket connected. Waiting for welcome message... 220-- Welcome to Pure-FTPd [privsep] [TLS] -- 220-Local time is now 23:08. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:Connected. Authenticating... COMMAND: USER tmp 331 User tmp OK. Password required COMMAND: PASS * 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:Login successful. COMMAND: PWD 257 / is your current location STATUS:Home directory: / STATUS:This site supports features. STATUS:This site supports SIZE. STATUS:This site can resume broken downloads. COMMAND: REST 0 350 Restarting at 0 COMMAND: PORT 192,168,123,104,6,18 200 PORT command successful COMMAND: LIST ERROR: Timeout (6 ms) occurred on receiving server response. = content of /etc/rc.conf: == hostname=x.x.x.a ifconfig_em0=inet x.x.x.a netmask 255.255.255.0 ifconfig_em0_alias0=inet x.x.x.b netmask 255.255.255.0 ifconfig_em1=inet 192.168.100.254 netmask 255.255.255.0 defaultrouter=x.x.x.254 static_routes=inside route_inside=-net 192.168.100.254/16 192.168.100.1 #proxy: gateway_enable=YES firewall_enable=YES firewall_type=simple natd_enable=YES natd_interface=x.x.x.b nat_flag=-a x.x.x.b #servers: inetd_enable=YES
Re: DSL LAN Sharing with FreeBSD-5.3+natd+ipfw
I had a similar setup http://members.iinet.net.au/~yance/pppoenat.html in rc.conf where you put gateway_enable=YES this will appear 00100 28 2096 divert 8668 ip from any to any via dc0 You can add extra ipfw config using a script similar to mine, and in rc.conf firewall_script=path/to/your/firewallscript I hope it helps. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
DSL LAN Sharing with FreeBSD-5.3+natd+ipfw
hi, how do i permanently set the rules for ipfw? whenever i restart my FreeBSD server which has natd firewall enabled, the ipfw returns to default which is 65535 151 14646 deny ip from any to any. so i need to repeat ipfw -f flush and execute the commands below so that my LAN can access the Internet. simple ruleset that must appear when ipfw show is executed: 00100 28 2096 divert 8668 ip from any to any via dc0 00200 37 3147 allow ip from any to any 65535 151 14646 deny ip from any to any do u have an ideal ipfw rules that i can follow for a setup which consists of a FreeBSD-5.3, natd, firewall, and DSL (static IP) connection? i just need to as much as possible prevent my LAN from attacks/virus/worms from outside world. -edwin -- -- Edwin D. Viñas http://www.geocities.com/edwin_vinas/ IN THE WORLD OF SCIENCE, NOTHING IS IMPOSSIBLE. -- #--March 16, 2005 - users: misoy/edv; root/mfr - installed snmp(comstring edvgrfr) - installed MRTG (/usr/local/etc/mrtg) - installed firefox (so long to install via ports) - IP addresses: rl0 192.168.0.1 dc0 203.215.106.226 - reconfigured Kernel (KERNEDV) foir natd and firewall - Natd/fIREWALL problem: - cannot ping denied, ipfw disable firewall - natd -interface dc0 /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via dc0 /sbin/ipfw add pass all from any to any Current Configs: @RC.CONF # -- sysinstall generated deltas -- # Thu Mar 17 05:38:59 2005 # Created: Thu Mar 17 05:38:59 2005 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=192.168.0.1 gateway_enable=YES hostname=elive_server.elive.com ifconfig_rl0=inet 192.168.0.1 netmask 255.255.255.0 inetd_enable=NO linux_enable=YES moused_enable=YES sshd_enable=YES usbd_enable=YES # added for natd and firewall firewall_enable=YES natd_enable=YES natd_interface=dc0 natd_flags=-f /etc/natd.conf # This file now contains just the overrides from /etc/defaults/rc.conf. # Please make all changes to this file, not to /etc/defaults/rc.conf. # Enable network daemons for user convenience. # Created: Wed Mar 16 22:01:13 2005 # -- sysinstall generated deltas -- # Wed Mar 16 22:01:13 2005 ifconfig_dc0=inet 203.215.106.226 netmask 255.255.255.0 defaultrouter=203.215.106.1 hostname=elive_server.elive.com @natd.conf interface dc0 use_sockets yes same_ports yes @ipfw show 00100 28 2096 divert 8668 ip from any to any via dc0 00200 37 3147 allow ip from any to any 65535 151 14646 deny ip from any to any = can ping from server internet and LAN ip - lan PC can ping server NIC1 and NIC2, but cant ping Internet WORKING SCENARIO: - Restart/Turn on machine. - check if natd is running with correct interface - check if ipfw contains same rules as above (chek interface) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd, ipfw problem
Hi! Tell me if I should post this otherwhere. Given two network cards sis0 (external) and vr0 (internal) I'm trying to give my girlfriend access to the web. Her ip is 192.168.0.2, I've installed natd, a proper kernel and configured my firewall, but so far only pings from her computer to the web works. I guess there's something wrong with my firewall, because only with the two standard entries (divert and allow all) everything is fine. But now after hours of googling I can't find anything which is wrong in my firewall. the /etc/natd.conf: interface sis0 use_sockets yes same_ports yes redirect_port udp 192.168.0.2:53 53 redirect_port tcp 192.168.0.2:53 53 redirect_port tcp 192.168.0.2:80 80 redirect_port tcp 192.168.0.2:443 443 redirect_port udp 192.168.0.2:123 123 redirect_port tcp 192.168.0.2:123 123 my firewall: add 00401 divert natd all from any to any via sis0 add 00402 allow ip from any to any via vr0 ### TCP ### add 00501 check-state add 00502 deny tcp from any to any in established add 00503 allow tcp from any to any out setup keep-state # allow dns queries, dns-port=53 add 00601 allow udp from any to any 53 keep-state via sis0 # allow ntp queries, ntp-port=123 add 00603 allow udp from any to any 123 keep-state via sis0 # allow all outgoing udp traffic add 00621 allow udp from any to any out via sis0 ### ICMP ### # allow outgoing pings and the reply add 00701 allow icmp from any to any out icmptypes 8 add 00702 allow icmp from any to any in icmptypes 0 # deny and log incoming pings from the outside add 00703 deny log icmp from any to any in icmptypes 8 via sis0 ### SAMBA ### # allow netbios services to local net, but log everything for debugging purposes add 00801 allow log tcp from any to any 137-139 via vr0 add 00802 allow log udp from any to any 137-139 via vr0 Thanks a lot Florian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd, ipfw problem
It's been a while but I'll see if I can help out. On Friday, March 4, 2005, at 06:52 PM, Florian Hengstberger wrote: Hi! Tell me if I should post this otherwhere. Given two network cards sis0 (external) and vr0 (internal) I'm trying to give my girlfriend access to the web. Her ip is 192.168.0.2, I've installed natd, a proper kernel and configured my firewall, but so far only pings from her computer to the web works. I guess there's something wrong with my firewall, because only with the two standard entries (divert and allow all) everything is fine. But now after hours of googling I can't find anything which is wrong in my firewall. the /etc/natd.conf: interface sis0 use_sockets yes same_ports yes redirect_port udp 192.168.0.2:53 53 redirect_port tcp 192.168.0.2:53 53 redirect_port tcp 192.168.0.2:80 80 redirect_port tcp 192.168.0.2:443 443 redirect_port udp 192.168.0.2:123 123 redirect_port tcp 192.168.0.2:123 123 Unless you want her to run her own dns, web, and mail I don't think you need any of the redirect_port directives. Double-check to make sure that: - your firewall has routing enable - her computer has the proper gateway and dns servers set up my firewall: add 00401 divert natd all from any to any via sis0 add 00402 allow ip from any to any via vr0 ### TCP ### add 00501 check-state add 00502 deny tcp from any to any in established add 00503 allow tcp from any to any out setup keep-state # allow dns queries, dns-port=53 add 00601 allow udp from any to any 53 keep-state via sis0 # allow ntp queries, ntp-port=123 add 00603 allow udp from any to any 123 keep-state via sis0 # allow all outgoing udp traffic add 00621 allow udp from any to any out via sis0 ### ICMP ### # allow outgoing pings and the reply add 00701 allow icmp from any to any out icmptypes 8 add 00702 allow icmp from any to any in icmptypes 0 # deny and log incoming pings from the outside add 00703 deny log icmp from any to any in icmptypes 8 via sis0 ### SAMBA ### # allow netbios services to local net, but log everything for debugging purposes add 00801 allow log tcp from any to any 137-139 via vr0 add 00802 allow log udp from any to any 137-139 via vr0 Thanks a lot Florian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(Another) NATD/IPFW port forwarding problem
.oO( Internet )Oo. || || [DSL--] [ adsl router ] - No Nat [-] | | | | | | B A [WL---] [---BSD---] NAT - [ wireless router ] [ bsd box ] [-] [-] X | | | | | | | |___| Y [-WEB] [ web server + media ] [] IP Addresses: A: External IP 82.*.*.A B: External IP 82.*.*.B X: Internal IP 192.168.1.101 Y: Internal IP 192.168.1.100 ### External Connectivity ### WEB - WL - (DSL) - Internet [IP B] BSD - (DSL) - Internet [IP A] Require: Connection to A:80 forwarded to Y:80 ### Theoretical Solution ### Packet - [sourceip:port, destip:port] Packets IN [any:any, A:80] fwd/nat [A:80, X:80] [A:80, X:80] fwd/nat [X:80, Y:80] Packets OUT [Y:80, X:80] fwd/nat [X:80, A:80] [X:80, A:80] fwd/nat [A:80, any:any] ### Description ### Hiya, As you can hopefully see, i'm trying to port forward a connection to an external ip on my BSD be box to the internal ip address of a machine that sits behind a wireless router. Please advise as to whether my Theoretical Solution is indeed correct for this purpose. I've been playing around with NATD and IPFW for a while now, and just cannot get it to respond. Assuming my logic is correct, my problem seems to be translating it in to the require configs/rules for natd and ipfw. In an attempt to simplify the problem, i have set apache to run on all the IPs of the BSD box. A telnet to 82.*.*.A 80 gets an index file showing default, whereas a telnet to 192.168.1.101 80 gets an index file showing 192.168.1.101, the obvious trick being to get a telnet to 82.*.*.A to display 192.168.1.101 As this is failing badly too, i assume i am doing some really wrong. As you will see, i have a /29 external subnet but we're only really interested in 82.*.*.A rl0 - external NIC going to ADSL Router xl0 - internal NIC going to Wireless Router IP Connectivity between all hosts is fine Details are as follows: - rc.conf - defaultrouter=82.*.*.* hostname=XXX ifconfig_rl0=inet 82.*.*.* netmask 255.255.255.248 ifconfig_rl0_alias0=inet 82.*.*.A netmask 255.255.255.255 ifconfig_rl0_alias1=inet 82.*.*.* netmask 255.255.255.255 ifconfig_rl0_alias2=inet alias 82.*.*.* netmask 255.255.255.255 ifconfig_xl0=inet 192.168.1.101 netmask 255.255.255.0 ifconfig_xl0_alias0=inet 192.168.1.111 netmask 255.255.255.255 gateway_enable=YES natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf portmap_enable=YES firewall_enable=YES firewall_type=/etc/ipfw.rules/default firewall_quiet=NO - natd.conf - interface rl0 same_ports yes redirect_port tcp 192.168.1.101:80 80 - KERNAL - options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFILTER options IPFILTER_LOG options IPDIVERT Cheers for the help!!! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd ipfw
___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd, ipfw and MS netmeeting
On Fri, Jun 04, 2004 at 07:37:15AM +0800, Khairil Yusof wrote: On Thu, 2004-06-03 at 11:26 +0200, Christoph Kukulies wrote: Anyway, the prsent (simple) natd rules don't seem to suffice. If I'm not wrong, ms netmeeting and msn messenger (audio,video) do not work over nat. There are some third party windows utilities available to enable this to work. I have not experience in them, but google for nat messenger or nat netmeeting should turn up some links. Wasn't there something like 'proxy arp' that could give the connecting computer in the LAN the same IP as the gateway? (not really but something that way). -- Chris Christoph P. U. Kukulies kuku_at_kukulies.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd, ipfw and MS netmeeting
I have problems getting a MC netmeeting seession established across a FreeBSD gateway (5.2-current). Anyway, the prsent (simple) natd rules don't seem to suffice. Does anyone have a set of rules to accomplish this? Thanks. -- Chris Christoph P. U. Kukulies kuku_at_kukulies.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd, ipfw and MS netmeeting
On Thu, 2004-06-03 at 11:26 +0200, Christoph Kukulies wrote: Anyway, the prsent (simple) natd rules don't seem to suffice. If I'm not wrong, ms netmeeting and msn messenger (audio,video) do not work over nat. There are some third party windows utilities available to enable this to work. I have not experience in them, but google for nat messenger or nat netmeeting should turn up some links. signature.asc Description: This is a digitally signed message part
Re: natd, ipfw and MS netmeeting
On Thursday 03 June 2004 11:26, Christoph Kukulies wrote: I have problems getting a MC netmeeting seession established across a FreeBSD gateway (5.2-current). Anyway, the prsent (simple) natd rules don't seem to suffice. In most cases you want to use username to ip mapping and a proxy, if you are sitting behind firewall/natd. There are several ports listed in the FreeBSD ports collection, like gatekeeper and opengk. http://www.freebsd.org/cgi/ports.cgi?query=h323stype=all http://www.openh323.org/ http://www.protocols.com/pbook/h323.htm hth ch -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu pgpFI0jcH1FAa.pgp Description: signature
RE: Bandwidth hit in natd/ipfw on 4.4-RELEASE
My first question to help is why do you have any firewall at all? firewall_type=OPEN Typically means that you have no ports being blocked? I'm hoping this is just for testing purposes? I see in your natd.conf file you have a line for unregistered_only=YES. This switch is for alteration of outgoing packets based on RFC 1918. I'm assuming then that you are looking at using natd for outgoing packets only? In which case in your files you would identify the natd_interface=dc0 allowing for the unregistered statement to then alter outgoing packets. I would also suggest if you have any LinkSys routers between your FBSD box and the Internet, that you examine them, as I have just recently replaced all my Internet hard routers with CISCO's due to the LinkSys being unable to hold an MTU setting. Just my two cents. Res Ipsa Loquitor, Mark-Nathaniel Weisman Site Master Mystic_One Internet Gaming Server Anchorage, Alaska http://games.mystic1.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 6:24 PM To: [EMAIL PROTECTED] Subject: Bandwidth hit in natd/ipfw on 4.4-RELEASE Hey, I just my got NAT box running 4.4-RELEASE on an old Pentium 90 and I'm experiencing a number of problems and I think they're related.. there's been a major bandwidth hit in all my web surfing and my ICQ, AOL and MSN (using both Trillian and Messenger) are dropping connections -- a lot. I don't think a single day's gone by without a connection dropping or two. As I said before, I've taken a bandwidth hit on my surfing as well -- to the point where connection attempts are completely timing out. I've included an abbreviated rc.conf and my natd.conf here.. rc.conf snip ifconfig_rl0=DHCP ifconfig_dc0=inet 192.168.0.1 netmask 255.255.255.0 inetd_enable=YES snip gateway_enable=YES natd_enable=YES natd_inteface=rl0 natd_flags=-config /etc/natd.conf firewall_enable=YES firewall_type=OPEN natd.conf unregistered_only yes same_ports yes log yes dynamic yes interface rl0 Did I do anything wrong? Miss anything? Add anything unnecessary? The kernel's been recompiled as is appropriate. Thanks in advance. -- Matt Coe, CCNA Member-At-Large, Dalhousie University CS Society Fall 2003 'Ford! There's an infinite number of monkeys outside who want to talk to us about this script for Hamlet they've worked out.' -- DNA, 'The Hitch Hiker's Guide to the Galaxy', Arthur Philip Dent Sick of long-distance bills? Get Skype! www.skype.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bandwidth hit in natd/ipfw on 4.4-RELEASE
On Thu, Mar 25, 2004 at 08:24:04PM -0700, [EMAIL PROTECTED] typed: Hey, I just my got NAT box running 4.4-RELEASE on an old Pentium 90 and I'm experiencing a number of problems and I think they're related.. there's been a major bandwidth hit in all my web surfing and my ICQ, AOL and MSN (using both Trillian and Messenger) are dropping connections -- a lot. I don't think a single day's gone by without a connection dropping or two. As I said before, I've taken a bandwidth hit on my surfing as well -- to the point where connection attempts are completely timing out. I've included an abbreviated rc.conf and my natd.conf here.. Please wrap your lines at ~70 characters. 4.4-RELEASE is quite old. Have you considered the possibility that you got rooted? Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bandwidth hit in natd/ipfw on 4.4-RELEASE
Ruben de Groot wrote: 4.4-RELEASE is quite old. Have you considered the possibility that you got rooted? I'm sure it's /possible/, but extraordinarily unlikely. The server's only been three days and I'm on a university resnet; I'd guess that no port below 1024 is accessible from outside my house.. and the most computer-literate people in this house are either Counter-Strike addicts or me. There are very few Computer Science students in this house, and I'm probably the only person who actively uses something other than WinXP or MacOS X. -- Matt Coe, CCNA Member-At-Large, Dalhousie University CS Society Fall 2003 'Ford! There's an infinite number of monkeys outside who want to talk to us about this script for Hamlet they've worked out.' -- DNA, 'The Hitch Hiker's Guide to the Galaxy', Arthur Philip Dent Sick of long-distance bills? Get Skype! www.skype.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bandwidth hit in natd/ipfw on 4.4-RELEASE
On Fri, Mar 26, 2004 at 10:43:56AM -0400, Matt Coe, CCNA typed: Ruben de Groot wrote: 4.4-RELEASE is quite old. Have you considered the possibility that you got rooted? I'm sure it's /possible/, but extraordinarily unlikely. The server's only been three days and I'm on a university resnet; I'd guess that no port below 1024 is accessible from outside my house.. and the most computer-literate people in this house are either Counter-Strike addicts or me. There are very few Computer Science students in this house, and I'm probably the only person who actively uses something other than WinXP or MacOS X. So maybe *they* got infected by some bandwidth-hungry virus/trojan/worm ? Seriously, have you tried investigating (netstat/sockstat/tcpdump are all good tools for this) what exactly is consuming so much bandwidth on your system? Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Bandwidth hit in natd/ipfw on 4.4-RELEASE
Hey, I just my got NAT box running 4.4-RELEASE on an old Pentium 90 and I'm experiencing a number of problems and I think they're related.. there's been a major bandwidth hit in all my web surfing and my ICQ, AOL and MSN (using both Trillian and Messenger) are dropping connections -- a lot. I don't think a single day's gone by without a connection dropping or two. As I said before, I've taken a bandwidth hit on my surfing as well -- to the point where connection attempts are completely timing out. I've included an abbreviated rc.conf and my natd.conf here.. rc.conf snip ifconfig_rl0=DHCP ifconfig_dc0=inet 192.168.0.1 netmask 255.255.255.0 inetd_enable=YES snip gateway_enable=YES natd_enable=YES natd_inteface=rl0 natd_flags=-config /etc/natd.conf firewall_enable=YES firewall_type=OPEN natd.conf unregistered_only yes same_ports yes log yes dynamic yes interface rl0 Did I do anything wrong? Miss anything? Add anything unnecessary? The kernel's been recompiled as is appropriate. Thanks in advance. -- Matt Coe, CCNA Member-At-Large, Dalhousie University CS Society Fall 2003 'Ford! There's an infinite number of monkeys outside who want to talk to us about this script for Hamlet they've worked out.' -- DNA, 'The Hitch Hiker's Guide to the Galaxy', Arthur Philip Dent Sick of long-distance bills? Get Skype! www.skype.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd + ipfw - very slow internet for LAN users
Hi, i'm sharing internet to my local area network (LAN) users with my router. Everything would be fine, but internet is very slow. I tried to ping my ISP. Ping reply is ~50ms. It means, that internet for LAN users should be good enough, but it isn't. Ping reply in IRC is ~15 seconds. Then I try to open some internet pages, there is very big lag. Something is wrong with nating i think, can u tell me what? FreeBSD4.9-STABLE ipfw + natd Kernel configuration: # ... Some other stuff goes here options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT # Firewall is accepting all packets by default options IPDIVERT # ... Some other stuff goes here rc.conf: defaultrouter=213.190.42.1 # ISP gateway hostname=panemune.net ifconfig_ed0=inet 192.168.0.1 netmask 255.255.255.0 # Network (LAN) interface ifconfig_ed1=inet 213.190.42.48 netmask 255.255.255.0 # Internet (outside) interface # ... here goes some other stuff, like sshd_enable=YES, etc gateway_enable=YES firewall_enable=YES firewall_script=/usr/local/etc/rc.firewall firewall_quiet=YES firewall_logging=YES natd_enable=YES natd_interface=ed1 natd_flags=-f /usr/local/etc/natd.conf # cat /usr/local/etc/natd.conf same_ports yes use_sockets yes unregistered_only yes # cat /usr/local/etc/rc.firewall ipfw add 100 divert natd all from any to any via ed1 # ipfw show 00100 469 26801 divert 8668 ip from any to any via ed1 65535 1072 60182 allow ip from any to any # cat /etc/services | grep natd natd8668/divert # Network Address Translation Btw, when I used ipf + ipnat, internet for LAN users was good enough, but now it's horrible with natd + ipfw. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd + ipfw - very slow internet for LAN users
Ping to an ip address does not use DNS. What is response time when you use ping domain name? It's ~250ms for google.com and other domains (good enough too). I see you have forced ip address for your nic card connected to the public internet by using rc.conf statement. This looks wrong to me. What's wrong with it? Can u give me other solutions? But anyway, with ipf + ipnat the internet speed is OK. Explain in detail how you connection to your ISP and the layout of your private network. Our ISP gave us ip and gateway, thats how we connect to internet (over dsl modem threw lan card). Some computers are connected in LAN via SWITCH. My router is connected to that switch too. Lan users have configured their OS, that gateway is 192.168.0.1 (my router's LAN ip address). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Prodigy Sent: Wednesday, March 10, 2004 10:18 AM To: freebsd-questions Subject: natd + ipfw - very slow internet for LAN users Hi, i'm sharing internet to my local area network (LAN) users with my router. Everything would be fine, but internet is very slow. I tried to ping my ISP. Ping reply is ~50ms. It means, that internet for LAN users should be good enough, but it isn't. Ping reply in IRC is ~15 seconds. Then I try to open some internet pages, there is very big lag. Something is wrong with nating i think, can u tell me what? FreeBSD4.9-STABLE ipfw + natd Kernel configuration: # ... Some other stuff goes here options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT # Firewall is accepting all packets by default options IPDIVERT # ... Some other stuff goes here rc.conf: defaultrouter=213.190.42.1 # ISP gateway hostname=panemune.net ifconfig_ed0=inet 192.168.0.1 netmask 255.255.255.0 # Network (LAN) interface ifconfig_ed1=inet 213.190.42.48 netmask 255.255.255.0 # Internet (outside) interface # ... here goes some other stuff, like sshd_enable=YES, etc gateway_enable=YES firewall_enable=YES firewall_script=/usr/local/etc/rc.firewall firewall_quiet=YES firewall_logging=YES natd_enable=YES natd_interface=ed1 natd_flags=-f /usr/local/etc/natd.conf # cat /usr/local/etc/natd.conf same_ports yes use_sockets yes unregistered_only yes # cat /usr/local/etc/rc.firewall ipfw add 100 divert natd all from any to any via ed1 # ipfw show 00100 469 26801 divert 8668 ip from any to any via ed1 65535 1072 60182 allow ip from any to any # cat /etc/services | grep natd natd8668/divert # Network Address Translation Btw, when I used ipf + ipnat, internet for LAN users was good enough, but now it's horrible with natd + ipfw. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
On Thu, Feb 05, 2004 at 08:39:40PM -0500, Mikhail Teterin wrote: [Now CC-ing Chuck Cranor -- the en's author] = = http://store.yahoo.com/softbuyweb/inpcidslmod3.html = The en(4) manual page and the description of this product (on the = page above) as one based on Efficient Network's chip. Can there be = anything else? =I'd be dubious.. the en driver was for an old expensive ATM card from ='95 or so.. even though the ad says it supports PPPoE among other =things, I'd be pretty surprised if we could talk to it.. Julian is right, the en driver is for the midway family of chips. this one could be for the lanai family of chips. you might try looking around for that. (e.g. i did a web search and found http://home.worldonline.dk/stok/lanai.html ). chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
On 02/05/04 18:12:20 -0800 Julian Elischer wrote: I don't KNOW of any DSL cards that are supported but it's difficult to keep abreast of ALL developments :-) what about the Sangoma S518 card? The BSDMall has it: http://www.bsdmall.com/sanadpcicon.html -Andreas ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
switching to an internal DSL modem -- natd, ipfw
Hello! My current network setup consists of the ISP-provided DSL-modem plugged into the little switch together with the rest of the network. One of the machines on the runs natd and the others use it as the default router. To get better protection I should be using a separate Ethernet card, into which only the modem will be plugged in. This is not as convenient from the cabling prospective, however. But what about an internal modem? Like http://store.yahoo.com/softbuyweb/inpcidslmod3.html It seems, en(4) should be able to use it and it should be able to connect to the ISP -- their modem is the Efficient Network's SpeedStream, which uses the same chip, most likely: Hardware Interface Name - SpeedStream 5660-R:ENI Hardware Interface Desc - Motorola 850 SAR Alcatel/RT Adapter Hardware Serial Number - [...] Hardware Revision Number - 00010001 Hardware Instance Number - 0 Driver Name - enatm0 (notice the ``en'' in the driver name) But -- will natd(8), the ipfw (4) and (8) work properly with en0? Any other potential problems? Thanks! -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
On Thu, 5 Feb 2004 [EMAIL PROTECTED] wrote: Hello! My current network setup consists of the ISP-provided DSL-modem plugged into the little switch together with the rest of the network. One of the machines on the runs natd and the others use it as the default router. To get better protection I should be using a separate Ethernet card, into which only the modem will be plugged in. This is not as convenient from the cabling prospective, however. But what about an internal modem? Like http://store.yahoo.com/softbuyweb/inpcidslmod3.html What makes you think we have a driver for this? It seems, en(4) should be able to use it and it should be able to connect to the ISP -- their modem is the Efficient Network's SpeedStream, which uses the same chip, most likely: Hardware Interface Name - SpeedStream 5660-R:ENI Hardware Interface Desc - Motorola 850 SAR Alcatel/RT Adapter Hardware Serial Number - [...] Hardware Revision Number - 00010001 Hardware Instance Number - 0 Driver Name - enatm0 (notice the ``en'' in the driver name) But -- will natd(8), the ipfw (4) and (8) work properly with en0? Any other potential problems? Thanks! -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
=On Thu, 5 Feb 2004 [EMAIL PROTECTED] wrote: = But what about an internal modem? Like = = http://store.yahoo.com/softbuyweb/inpcidslmod3.html =What makes you think we have a driver for this? The en(4) manual page and the description of this product (on the page above) as one based on Efficient Network's chip. Can there be anything else? -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
On Thu, 5 Feb 2004 [EMAIL PROTECTED] wrote: =On Thu, 5 Feb 2004 [EMAIL PROTECTED] wrote: = But what about an internal modem? Like = =http://store.yahoo.com/softbuyweb/inpcidslmod3.html =What makes you think we have a driver for this? The en(4) manual page and the description of this product (on the page above) as one based on Efficient Network's chip. Can there be anything else? I'd be dubious.. the en driver was for an old expensive ATM card from '95 or so.. even though the add says it supports PPPoE among other things, I'd be pretty surprised if we could talk to it.. (surprises do happen though) -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
[Now CC-ing Chuck Cranor -- the en's author] = = http://store.yahoo.com/softbuyweb/inpcidslmod3.html = =What makes you think we have a driver for this? = The en(4) manual page and the description of this product (on the = page above) as one based on Efficient Network's chip. Can there be = anything else? =I'd be dubious.. the en driver was for an old expensive ATM card from ='95 or so.. even though the ad says it supports PPPoE among other =things, I'd be pretty surprised if we could talk to it.. =(surprises do happen though) So, back to the original question -- am I likely to have to any problems with natd and ipfw dealing with this non-Ethernet interface -- assuming en-driver attaches to this card at all? Any other ATM card I should consider as an internal DSL modem? Thanks! -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
net CC removed... Mikhail Teterin wrote: So, back to the original question -- am I likely to have to any problems with natd and ipfw dealing with this non-Ethernet interface -- assuming en-driver attaches to this card at all? wait, why not just take the ethernet cable from the inside interface on your existing modem, connect it to a 2nd 'outside' NIC on your BSD box with a driver that's known to work, and save $100+ on a new modem? you mentioned cabling inconvenience before, but i don't see enough inconvenience to warrant $100 expenditure. maybe i missed something, wouldn't be the first time... but i'm doing DSL with ipfw/natd at home using multiple NICs (outside, inside, wireless)... and it works well. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching to an internal DSL modem -- natd, ipfw
On Thu, 5 Feb 2004, Mikhail Teterin wrote: [Now CC-ing Chuck Cranor -- the en's author] = = http://store.yahoo.com/softbuyweb/inpcidslmod3.html = =What makes you think we have a driver for this? = The en(4) manual page and the description of this product (on the = page above) as one based on Efficient Network's chip. Can there be = anything else? =I'd be dubious.. the en driver was for an old expensive ATM card from ='95 or so.. even though the ad says it supports PPPoE among other =things, I'd be pretty surprised if we could talk to it.. =(surprises do happen though) So, back to the original question -- am I likely to have to any problems with natd and ipfw dealing with this non-Ethernet interface -- assuming en-driver attaches to this card at all? Any other ATM card I should consider as an internal DSL modem? Thanks! natd and ipfw will work with any interface.. they are attached to teh ip stack.. I don't KNOW of any DSL cards that are supported but it's difficult to keep abreast of ALL developments :-) -mi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd ipfw
Good morning! I have 4.9-release. I'm interesting natd and ipfw. My tested box have two interface 172.16.0.10/29 and 195.161.208.210/30. # ifpw list 00500 divert 8668 ip from any to not 172.16.0.8/29 01000 allow ip from any to any # natd -v -a 195.161.208.210 When I ping 195.161.208.130 from machine behind firewall (172.16.0.9) I see. In [ICMP] [ICMP] 172.16.0.9 - 195.161.208.130 8(0) aliased to [ICMP] 172.16.0.9 - 195.161.208.130 8(0) Out [ICMP] [ICMP] 172.16.0.9 - 195.161.208.130 8(0) aliased to [ICMP] 195.161.208.210 - 195.161.208.130 8(0) ICMP packet flow through filter in two place: in ip_in and ip_out. It diverted to natd twice. Why in first it's source address doesn't change, but only in ip_out? If I do following 00500 divert 8668 ip from any to not 172.16.0.8/29 in then natd don't change source address, and ping don't work. I thinked that natd must do NAT whenever and wherever it work. May I be mistaken? Sorry for the trivial question, but I'm not a expert in FreeBSD, I'm only studying. Thank you. -- Lev Klimin mailto:[EMAIL PROTECTED] (8362) 42-15-49 19:37:26 2 2003 . ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd ipfw
On Sun, Dec 07, 2003 at 01:11:40PM +0300, Lev Klimin wrote: then natd don't change source address, and ping don't work. I thinked that natd must do NAT whenever and wherever it work. May I be mistaken? You may be. I had a problem a few months ago that seemed very similar. In the end I gave up asking questions and switched to ipf/ipnat (which is now working very well) but it does look very much like a bug somewhere to me. Sorry I can't help you any more than that, -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- pgp0.pgp Description: PGP signature
Re: Problem(s) resolving names with natd/ipfw.
1. I would try enabling named on the FreeBSD gateway and set it as a forwarder to the DNS of my ISP. Then set all the clients' primary DNS to that of the internal IP of your gateway. 2. I would also not use OPEN firewall type. I would not be comfortable with it. 3. I would also take out the lines firewall_type and firewall_script from rc.conf and instead create a shell script in a startup_dir (eg /usr/local/etc/rc.d) and put all my ipfw rules in there and chmod it to be executable. I think the original /etc/rc.firewall awaits variables set in rc.conf eg firewall_type, etc. - Original Message - From: Jose Albores [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, September 14, 2003 12:57 PM Subject: Problem(s) resolving names with natd/ipfw. The problem summary is as follows: I'm setting up a very simple LAN at home using only two machines with fixed private ip addresses either. The FreeBSD gateway is connected to the internet through my cablemodem ISP's modem. The problem is that the Windows XP client CANNOT access the Internet with alphabetic names (should be called a DNS problem?) but it YES CAN do it with ip addresses (numbers). AFAIK (being a newbie in networking issues) it seems that no problems arise from the gateway side after setting up natd/ipfw. From the client, I can ping to numeric addresses locally and outside. And (again using ip-numbers) I can telnet to my pop server's 110 port. But not with names. The (gateway) server has NO problems with alphabetic addresses. Neither pinging the local network nor with the internet. Maybe I forgot some flag for natd in my /etc/rc.conf? Is/are there other option/s in my kernel-configuration file needeed? Any hint will be appreciated. Please feel free to ask for any necessary info. These are the details. It's my first job with networks, and the scenario is as follows: The server: · Pentium 233 MMX. · OS: FreeBSD 4.8-RELEASE. Alternating with Win 98 for testing. · dc0: interfase to my cablemodem ISP. · vr0: interfase to my local network connected to a hub. The client: · AMD athlon xp 2.0 Ghz. · OS: Windows XP. Adding DNS servers to the network config in the client didn't solve the problem. BTW it's not necessary to add DNS entries when the server boots with Win 98 + Microsoft's ICS. On the server side, I built a new kernel with (all?) the necessary options: · The GENERIC kernel, adding: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=200 options IPFIREWALL_DEFAULT_TO_ACCEPT The /etc/hosts file has three entries: 127.0.0.1 localhost localhost.homenet.org 192.168.0.1 daviddavid.homenet.org 192.198.0.2 goliath goliath.homenet.org My /etc/resolv.conf has been automagically generated when first configured the interfases. Maybe? it updates on every boot. And my networking-related lines in /etc/resolv.conf are as follows: --- Begin of /etc/rc.conf --- hostname=david.homenet.org # [...] chunking a few not-networking lines... ifconfig_dc0=DHCP ifconfig_vr0=inet 192.168.0.1 netmask 255.255.255.0 gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_script=/etc/my.rc.firewall #firewall_script=/etc/rc.firewall ### did not work either!!! natd_enable=YES natd_interface=dc0 natd_flags= --- End of /etc/rc.conf --- The COMPLETE /etc/my.rc.firewall is extremely simple: --- Begin --- #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via dc0 /sbin/ipfw add pass all from any to any --- End --- Testing blindly the /etc/rc.firewall also did not work. Learning ipfw secrets will be left for the immediate future ;o))). TIA. -- José Albores - [EMAIL PROTECTED] Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem(s) resolving names with natd/ipfw.
Just enabling named solved the problem. I only added two or three named_... entries from /etc/default/rc.conf to /etc/rc.conf, changing NO for YES and nothing else. Even without modifying de default config files (named.conf and any other, eventually) the FreeBSD gateway began to forward name-requests without problems. But I'm almost sure that none of the documents I read said it was necessary to enable named in the gateway in order to resolve names. Maybe this should be added o I should recheck. Thank you very much. Your help was in fact extremely useful to me. I also prefer sometimes to perform a few tasks with my personals scripts and avoid the default programs doing them. As I review what I wrote it seems that I know what exactly the program does! Thanks again. -- José Albores - [EMAIL PROTECTED] --- [EMAIL PROTECTED] escribió: 1. I would try enabling named on the FreeBSD gateway and set it as a forwarder to the DNS of my ISP. Then set all the clients' primary DNS to that of the internal IP of your gateway. [...] - Original Message - [...] The problem summary is as follows: I'm setting up a very simple LAN at home using only two machines with fixed private ip addresses either. The FreeBSD gateway is connected to the internet through my cablemodem ISP's modem. The problem is that the Windows XP client CANNOT access the Internet with alphabetic names (should be called a DNS problem?) but it YES CAN do it with ip addresses (numbers). [...] Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem(s) resolving names with natd/ipfw.
The problem summary is as follows: I'm setting up a very simple LAN at home using only two machines with fixed private ip addresses either. The FreeBSD gateway is connected to the internet through my cablemodem ISP's modem. The problem is that the Windows XP client CANNOT access the Internet with alphabetic names (should be called a DNS problem?) but it YES CAN do it with ip addresses (numbers). AFAIK (being a newbie in networking issues) it seems that no problems arise from the gateway side after setting up natd/ipfw. From the client, I can ping to numeric addresses locally and outside. And (again using ip-numbers) I can telnet to my pop server's 110 port. But not with names. The (gateway) server has NO problems with alphabetic addresses. Neither pinging the local network nor with the internet. Maybe I forgot some flag for natd in my /etc/rc.conf? Is/are there other option/s in my kernel-configuration file needeed? Any hint will be appreciated. Please feel free to ask for any necessary info. These are the details. It's my first job with networks, and the scenario is as follows: The server: · Pentium 233 MMX. · OS: FreeBSD 4.8-RELEASE. Alternating with Win 98 for testing. · dc0: interfase to my cablemodem ISP. · vr0: interfase to my local network connected to a hub. The client: · AMD athlon xp 2.0 Ghz. · OS: Windows XP. Adding DNS servers to the network config in the client didn't solve the problem. BTW it's not necessary to add DNS entries when the server boots with Win 98 + Microsoft's ICS. On the server side, I built a new kernel with (all?) the necessary options: · The GENERIC kernel, adding: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=200 options IPFIREWALL_DEFAULT_TO_ACCEPT The /etc/hosts file has three entries: 127.0.0.1 localhost localhost.homenet.org 192.168.0.1 daviddavid.homenet.org 192.198.0.2 goliath goliath.homenet.org My /etc/resolv.conf has been automagically generated when first configured the interfases. Maybe? it updates on every boot. And my networking-related lines in /etc/resolv.conf are as follows: --- Begin of /etc/rc.conf --- hostname=david.homenet.org # [...] chunking a few not-networking lines... ifconfig_dc0=DHCP ifconfig_vr0=inet 192.168.0.1 netmask 255.255.255.0 gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_script=/etc/my.rc.firewall #firewall_script=/etc/rc.firewall ### did not work either!!! natd_enable=YES natd_interface=dc0 natd_flags= --- End of /etc/rc.conf --- The COMPLETE /etc/my.rc.firewall is extremely simple: --- Begin --- #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via dc0 /sbin/ipfw add pass all from any to any --- End --- Testing blindly the /etc/rc.firewall also did not work. Learning ipfw secrets will be left for the immediate future ;o))). TIA. -- José Albores - [EMAIL PROTECTED] Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD IPFW
Brian McCann wrote: Hi all. I'm having an issue with security while trying to get natd to work with ipfw. I got my ipfw rules working great, so I added the natd line in: ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE But I can't do anything (ping, fetch, etc) until I add: ipfw add pass all from any to any Now, I may be wrong, but doesn't this pretty much open the box up? I tried changing the first any to my internal network, but that didn't work, and I know I've got to be missing something. If anyone would like to help me off-list, I could send you a copy of my rule set if you'd like. Thanks in advance, --Brian ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, The best way to learn about your firewall is to log all denyed packets and review the log file while trying different programs that access the network. #ipfw add 6500 deny log any to any #tail -f /var/log/security Then create rules based on what shows up in the logs. -Ryan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NATD IPFW
Hi all. I'm having an issue with security while trying to get natd to work with ipfw. I got my ipfw rules working great, so I added the natd line in: ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE But I can't do anything (ping, fetch, etc) until I add: ipfw add pass all from any to any Now, I may be wrong, but doesn't this pretty much open the box up? I tried changing the first any to my internal network, but that didn't work, and I know I've got to be missing something. If anyone would like to help me off-list, I could send you a copy of my rule set if you'd like. Thanks in advance, --Brian ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NATD IPFW
The entry I added to my ruleset was: # Allow outbound pings ipfw add pass icmp from any to any in recv $external icmptypes 0 ipfw add pass icmp from any to any out xmit $external icmptypes 8 # Allow outbound traceroutes ipfw add pass icmp from any to any in recv $internal icmptypes 3 ipfw add pass icmp from any to any in recv $internal icmptypes 11 I don't use fetch, so I'm not sure which port it uses, nor am I familiar with which protocol it needs to use. Sorry. These two are self-explanatory. Hope this helps. A Faithful Servant, Mark-Nathaniel Weisman President / CEO Infinite Visions Educational Systems Inc. Anchorage, AK [EMAIL PROTECTED] -Original Message- From: Brian McCann [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 6:54 PM To: [EMAIL PROTECTED] Subject: NATD IPFW Hi all. I'm having an issue with security while trying to get natd to work with ipfw. I got my ipfw rules working great, so I added the natd line in: ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE But I can't do anything (ping, fetch, etc) until I add: ipfw add pass all from any to any Now, I may be wrong, but doesn't this pretty much open the box up? I tried changing the first any to my internal network, but that didn't work, and I know I've got to be missing something. If anyone would like to help me off-list, I could send you a copy of my rule set if you'd like. Thanks in advance, --Brian ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Bridge + Natd + IPFW + Dummynet puzzles...
Hello, I have a t1 with 16 ip's, which I need to share around this office. Some of those real/routable IP's I want to assign internally in the office, while at the same time them to be behind my FreeBSD firewall/dummynet pc. t1Router 209.150.x.145 | | 209.150.x.146 255.255.255.240 FreeBSD bridge/ipfw/dummynet/natd [two nics] 192.168.0.1 255.255.255.0 | | Server-209.150.214.147, Server 209.150.x.148 Workstation 192.168.0.x WorkStation 192.168.0.x So far my bridge and natd work fine, except those internal machines with 209.150 adress space can't see each other [they won't ping any other 209.150.x.x], but I can ping them from the outside and the can ping outside. The t1 router is directly connected into the FreeBSD machine. The handbook says I need to have DEFAULT_TO_ACCEPT in my kernel for ipfw, right now I just have firewall_type=open, and net.link.ether.bridge_ipfw: 0, that works but when I set that thing to 1 traffic dies randomlyso is that kernel option necessary? I think this setup is whacked and I'm just getting lucky that someone can actually see those machines from the outside, I just need advice on how this should be done / Is this a good way to do it? or is it possible to do it this way? Basically I want to have some machines with public IP inside my network behind a firewall/dummynet [subnetting too much headache for a network of 16 ip's], and other machines with private address space inside behind my firewall/dummynet thru natd. Peter __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NATD IPFW and Remote Desktop (WinXP Pro.) not work
I try to allow the connection to a pc in my lan but I could I would like to connect Remote Desktop port 3389 from internet to machine B but I could. These are my machines: A FreeBSD: (rl0 A-NIC) to (DSL Modem) no-ip -gateway(ed0 A-NIC) to (HUB-1) 192.168.0.11 (wi0 A-NIC 802.11b Access Point) 192.168.0.22 NAT IPFW APACHE SQUID SOCKS5 B WinXP Pro:(B-NIC) to (HUB-1) 192.168.0.1 C WinXP Home: (C-NIC) to (HUB-1) 192.168.0.101 D FreeBSD: (xl0 D-NIC) to (HUB-2) (down) (wi0 D-NIC 802.11b Client) to (wi0 A-NIC 802.11b Access Point) NAT IPFW SQUID SOCKS5 E WinXP Pro.(E-NIC) to (HUB-2) F WinXP Pro.(F-NIC) to (HUB-2) G WinXP Pro.(G-NIC 802.11b Client) to (wi0 A-NIC 802.11b Access Point) On A FreeBSD: [uname -a] FreeBSD sun 4.6-RELEASE FreeBSD 4.6-RELEASE #1: \ Sun Nov 10 16:00:11 GMT 2002 \ root@sun:/usr/src/sys/compile/ROUTER i386 [rc.conf] ifconfig_ed0=inet 192.168.0.11 netmask 255.255.255.0 ifconfig_wi0=inet 192.168.0.22 netmask 255.255.255.255 ifconfig_rl0=up defaultrouter=192.168.0.1 hostname=sun sendmail_enable=NO inetd_enable=NO gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface=rl0 natd_flags=-redirect_port udp 192.168.0.1:3389 3389 ppp_enable=YES ppp_mode=ddial ppp_nat=YES What do I miss? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
help with webcam through natd + ipfw
Folks, I've done port-forwarding before on several different FW/NAT devices, but damned if I can get it going on FreeBSD. At first I tried with PPP's builtin NAT, and when that failed I switched to natd. I did google searches and even searched the FreeBSD list archives but did not find any help. /etc/natd.conf looks like this (private IP removed) : interface tun0 port 8668 use_sockets yes dynamic yes redirect_port tcp MY_PRIVATE_IP:8080 8080 /etc/rc.conf has this : firewall_type=SIMPLE firewall_enable=YES firewall_script=/etc/rc.firewall firewall_quiet=NO natd_enable=YES natd_program=/sbin/natd natd_interface=tun0 natd_flags=-f /etc/natd.conf My firewall does not have much changed from the SIMPLE template. I allow a few incoming connections including ports 80, 443, 53, 110 and the port I want to foward back to my webcam : 8080. nat itself works fine (machines behind the FW can surf and such) but the port forwarding is not working. I tried adding a rule 50 to allow everything on the ipfw, and that didn't work. Then I thought maybe the 'allow all' should do right after the divert to natd so I deleted 50 and added the add all rule right after divert. Still nothing! I'm testing by VPN'ing into work, VNC'ing into my desktop, and trying to connect back from there. Help! What's up? Oh, FreeBSD 4.5 release (stable, whatever it's called, I don't much around with beta stuff) cheers, -Alan -- http://www.bodensatz.com/ The Beer Site To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Alan McKay wrote: Folks, I've done port-forwarding before on several different FW/NAT devices, but damned if I can get it going on FreeBSD. At first I tried with PPP's builtin NAT, and when that failed I switched to natd. I did google searches and even searched the FreeBSD list archives but did not find any help. /etc/natd.conf looks like this (private IP removed) : interface tun0 port 8668 use_sockets yes dynamic yes redirect_port tcp MY_PRIVATE_IP:8080 8080 /etc/rc.conf has this : firewall_type=SIMPLE firewall_enable=YES firewall_script=/etc/rc.firewall firewall_quiet=NO natd_enable=YES natd_program=/sbin/natd natd_interface=tun0 natd_flags=-f /etc/natd.conf My firewall does not have much changed from the SIMPLE template. I allow a few incoming connections including ports 80, 443, 53, 110 and the port I want to foward back to my webcam : 8080. What does `ipfw -a l` show? Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. Also, my 'allow 8080 setup' rule was after the divert but with the public IP number, so I added an equivalent one with the private address of my interal PC. i.e. 013500 0 allow tcp from any to PC_WITH_CAM 8080 setup 055500 0 allow tcp from any to 207.164.198.56 8080 setup I put the private IP rule right after the divert just in case. gah! -- http://www.bodensatz.com/ The Beer Site To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Alan McKay wrote: What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. There is really nothing special about what your doing if the firewall is correct. Also, to help troubleshoot more, I would recommend using ipfw log statements as well as the natd log option. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this Cannot telnet to 8080 so it must be nat, but my natd.conf looks good to me. dunno what's up. nat itself is working otherwise I wouldn't be talking to you right now. You say my natd.conf looked fine. In my kernel I have the following : options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 -- http://www.bodensatz.com/ The Beer Site To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. Nope, still no go :-( I'll wait til my buddy is back from vacation as I think he got it going on his fbsd box :-( -- http://www.bodensatz.com/ The Beer Site To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
question... having never dealt with IPFW and nat, does ipnat.conf need to exist? i wonder this because it seems like a great majority of problems that exist with IPF can be solved by having a correct ipnat.conf. Charles Pelletier Tech. Coordinator St Luke's School - Original Message - From: Nick Rogness [EMAIL PROTECTED] To: Alan McKay [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 24, 2002 8:16 PM Subject: Re: help with webcam through natd + ipfw On Thu, 24 Oct 2002, Alan McKay wrote: What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. There is really nothing special about what your doing if the firewall is correct. Also, to help troubleshoot more, I would recommend using ipfw log statements as well as the natd log option. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Alan McKay wrote: If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this Cannot telnet to 8080 so it must be nat, but my natd.conf looks good to me. dunno what's up. nat itself is working otherwise I wouldn't be talking to you right now. You say my natd.conf looked fine. You mean you can't: # telnet $PRIVATE_IP 8080 From your BSD machine? That leaves only 2 possible problems: 1) The program isn't listening on port 8080 tcp on your $PRIVATE_IP (Use netstat -an on that machine to verify) 2) The firewall is blocking the packets. I still haven't seen the output of ipfw -a l yet so I can't be sure. Packets don't always act the way you think they do when nat is in the picture. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
On Thu, 24 Oct 2002, Charles Pelletier wrote: question... having never dealt with IPFW and nat, does ipnat.conf need to exist? i wonder this because it seems like a great majority of problems that exist with IPF can be solved by having a correct ipnat.conf. No, ipnat.conf doesn't need to exist when using IPFW/NAT. That is for the ipnat/ipfilter system which is a whole different monster. Charles Pelletier Tech. Coordinator St Luke's School - Original Message - From: Nick Rogness [EMAIL PROTECTED] To: Alan McKay [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 24, 2002 8:16 PM Subject: Re: help with webcam through natd + ipfw On Thu, 24 Oct 2002, Alan McKay wrote: What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. There is really nothing special about what your doing if the firewall is correct. Also, to help troubleshoot more, I would recommend using ipfw log statements as well as the natd log option. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: help with webcam through natd + ipfw
okay. thanks for the clarification. Charles Pelletier Tech. Coordinator St Luke's School - Original Message - From: Nick Rogness [EMAIL PROTECTED] To: Charles Pelletier [EMAIL PROTECTED] Cc: Alan McKay [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, October 24, 2002 10:35 PM Subject: Re: help with webcam through natd + ipfw On Thu, 24 Oct 2002, Charles Pelletier wrote: question... having never dealt with IPFW and nat, does ipnat.conf need to exist? i wonder this because it seems like a great majority of problems that exist with IPF can be solved by having a correct ipnat.conf. No, ipnat.conf doesn't need to exist when using IPFW/NAT. That is for the ipnat/ipfilter system which is a whole different monster. Charles Pelletier Tech. Coordinator St Luke's School - Original Message - From: Nick Rogness [EMAIL PROTECTED] To: Alan McKay [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 24, 2002 8:16 PM Subject: Re: help with webcam through natd + ipfw On Thu, 24 Oct 2002, Alan McKay wrote: What does `ipfw -a l` show? That seems to be the same as ipfw show, which I used to determine that there do not seem to be any 'deny' rules hit. So I cannot really tell where those packets are going. I can hit my port 80 from work no problem (www.bodensatz.com), but 8080 no deal. So it seems to be going through some allow rule, but I'm not sure which. If indeed your internal machine is excepting connections on port 8080 (can be tested from the firewall box using telnet) then this sounds like a firewalling problem. Set your firewall type to OPEN, reboot and see if it works. If it does, then you need to examine your firewall rules better. There is really nothing special about what your doing if the firewall is correct. Also, to help troubleshoot more, I would recommend using ipfw log statements as well as the natd log option. Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Nick Rogness [EMAIL PROTECTED] - Wouldn't it be great if we could answer people with a kick to the crotch? [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Or even - NATD/IPFW/BSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Scott, Tuesday, October 22, 2002, 7:15:41 PM, you wrote: In regards to my last question ... or does anyone even know how to block all traffic from a MAC ID? IPFW2 allows to match ip packets using MAC. It is not used in stable by default, read man ipfw to figure out how to enable IPFW2. Please note that many modern network cards allow changing their MAC ID easily, so blocking MACs is not 100% solution. If your network do not use DHCP you may write down MAC IDs of all computers in your network along with its IP adresses, then disable ARP resolution on your firewall's interface (ifconfig ed0 -arp), then add static arp mappings for all hosts inyournetwork(arp-s192.168.0.1 xx:xx:xx:xx:xx:xx). - -- Best regards, Artemmailto:aokounev;yahoo.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) iD8DBQE9tlTtbOuJ0KL1C+MRApyXAKC7In5WL3Iyee8kfxKKUnYnNRc3nACgsAG1 sd1Cdzlr3Yw6O1wqIjNlG+Q= =E7UL -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Or even - NATD/IPFW/BSD
In regards to my last question ... or does anyone even know how to block all traffic from a MAC ID? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message