Hi ! I can't give you all details, since currently I don't have root access to the machine, only user via ssh (forgot to install su2 or to put me into the right group, *argh* ;-) ... will last up to monday, but maybe you can answer me, if perhaps there is a problem with nat or my basic config.
People usually use squid for http and ftp. But they want have
access to internet radio, upload files to remote webservers via
ftp and such ... And this currently (surprisingly) doesn't work.
One iMAC uses in Netscape direct connection to internet, the
other uses squid. Squid works, direct access to internet not.
Default gateway is o.k., set to internal fxp0 interface.
FreeBSD is also a caching DNS server ... there no problem.
Traffic originating from FreeBSD machine doesn't have problems.
Traffic (for example web, port 80) originating from internal
net to external net without going over squid doesn't work ...
Although FreeBSD already offers nice firewall rules for a
firewall with 2 interfaces and nat ...
The FreeBSD version is a 4.4-20020111-STABLE machine.
Two fxp interfaces, fxp0 for inside, fxp1 for outside (DMZ,
one IP in a /29).
In rc.conf I use:
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_logging="YES" # Set to YES to enable events logging
gateway_enable="YES" # Set to YES if this host will be a gateway.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="fxp1" # Public interface or IPaddress to use.
natd_flags="-l -s -m" # Additional flags for natd.
icmp_drop_redirect="YES" # Set to YES to ignore ICMP REDIRECT packets
icmp_log_redirect="YES" # Set to YES to log ICMP REDIRECT packets
log_in_vain="YES" # YES to log connects to ports w/o listene
I compiled a custom kernel with these settings:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about dropped
packetsoptions IPFIREWALL_VERBOSE_LIMIT=900 #limit verbosity
options IPDIVERT #divert sockets
options IPSTEALTH #support for stealth forwarding
options RANDOM_IP_ID
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options ICMP_BANDLIM
I changed "simple" in rc.firewall to use the right IP addresses:
oif="fxp1"
onet="213.168.x.y"
omask="255.255.255.248"
oip="213.168.65.20"
iif="fxp0"
inet="192.168.100.0"
imask="255.255.255.0"
iip="192.168.100.200"
[...]
I allowd ssh from 2 certain IPs, no problem ...
Only inside -> outside via NAT doesn't work.
The manpage tells, you need IP forwarding and
IPDIVERT in the kernel ... I did so ...
What I tried:
- I tried removing -s and -m from natd flags. No success.
- I tried to use fxp0 (the internal interface) instead of fxp0
to be natd_interface. No success.
- I tried to put the natd divert rule to be the first by using the
number "50" like in firewall_type="open" config:
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
Normal for firewall_type="simple" is:
${fwcmd} add divert natd all from any to any via ${natd_interface}
No success.
What works is firewall_type="open". But this I don't want ;-)
Too bad, currently no root access, so I'm unable to reconfigure
and do a ipfw show .. Another bad thing is that I forgot to
change natd_interface back to "fxp1"...
How does natd work exactly ? What can go wrong.
In the past I used own firewall rules, to deny some incoming traffic
on the external interface (smtp, dns, ......) and then allowed
everything. In the middle then the divert rule ... THis way nat
worked with FreeBSD 4.2. Now I wanted to create a better firewall
on the new machine and our "simple" template doesn't work out of
the box ...
Or are some kernel options not o.k. for natd ???
What can I give you more on monday or tuesday .. ?
More beef better via personal mail, not mailing-list.
I could arrange ssh access, if you are willed and if that helps you
more...
Andreas ///
--
Andreas Klemm - Powered by FreeBSD
Need a magic printfilter today ? http://www.apsfilter.org/
Songs from our band >> 64Bits << http://www.64bits.de
Inofficial band pages with add-on stuff http://www.apsfilter.org/64bits.html
msg04693/pgp00000.pgp
Description: PGP signature
