On Friday, October 24, 2003, at 02:35 AM, Alhagie Puye wrote:
Do you have a natd.conf file? What does your rc.conf file look like? You have to turn on nat for the packets to be translated. Telling the firewall to send the packets to natd is one thing, what the happens to them after that is another. You ARE missing the setup for natd.
Check this out:
http://www.freebsddiary.org/ipfw.php
Please read this link. I sent you something similar in my previous reply. And you are still asking the same question. It is very self-explanatory.
yes, I have read that link. i have followed the instructions very carefully. i do have the setup for natd. i have checked and re-checked all my configurations. i have been working with a security engineer who set up our ipfw rules and he has also checked and rechecked the natd and ipfw configuration and rules. i have included both my /etc/natd.conf files and /etc/rc.conf files below. i have also added option IPDIVERT to the kernel and rebuilt the kernel.
i'm sorry if my last e-mail was not clear, but this is not the same question because i am now asking why i am able to get out from a client on the subnet with ip 192.168.53.200 when i open up the ipfw rules to allow everything, but am not able to get out when i specify in the ip rules to allow all traffic in and out only for ip 192.168.53.200. if natd was not working properly, how could i get to the outside world from the client using 192.168.53.200 since 192 addresses are not routable outside of our network? with the below rule i can get to websites, ssh, and telnet from a client on the subnet to the outside world:
ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow from any to any
but when i flush the rules and add the following giving access specifically to 192.168.53.200, i can no longer access websites, ssh, or telnet to the outside world:
ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from 192.168.53.200 to any ipfw add 300 allow all from any to 192.168.53.200
if the first set of ipfw rules is not a way to check that natd is working, please let me know a better way. if there is any other information i need to provide, please let me know.
here are the natd.conf and rc.conf files:
/etc/natd.conf: interface fxp0 use_sockets yes same_ports yes
/etc/rc.conf file: defaultrouter="64.x.x.x" hostname="domain.com" ifconfig_fxp0="inet 64.x.x.x netmask 255.255.255.248" ifconfig_xl0="inet 192.168.53.1 netmask 255.255.255.0" inetd_enable="NO" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" nfs_client_enable="NO" nfs_reserved_port_only="YES" sendmail_enable="NO" sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" usbd_enable="YES" start_vinum="YES" portmap_enable="NO" nfs_server_enable="NO" nfs_client_enable="NO" # syslog stuff syslogd_enable="YES" syslogd_flags="-ss" # process accounting (lastcomm) accounting_enable="YES" # nuke /tmp/* on boot clear_tmp_enable="YES" # don't clobber /etc/motd with default message update_motd="NO"
#NATD Stuff natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" gateway_enable="YES"
# firewall stuff firewall_enable="YES" firewall_script="/etc/ipfw.conf" firewall_logging="YES" icmp_drop_redirect="YES"
#ntp stuff xntpd_enable="YES" xntpd_flags="-g -p /var/run/ntpd.pid"
#bind stuff named_enable="YES" named_flags="-u bind -g bind -t /etc/namedb/sandbox"
#DHCP stuff ifconfig_xl0="DHCP"
Cheers, Alhagie.
--- Michelle <[EMAIL PROTECTED]> wrote:http://lists.freebsd.org/mailman/listinfo/freebsd-questionsi have a freebsd server running 4.6.2 with 2 nic cards installed one for our lan (fxp0) that provides connection to the outside world via dsl and the other for an internal subnet (xl0). i have both natd and ipfw configured and running. when on the subnet, i can not connect to the outside. i tried flushing the firewall rules and adding only:
ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from any to any
i am then able to connect from a client on the subnet to an outside ip address.
then i tried flushing the rules again and adding:
ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from 192.168.53.200 to any ipfw add 300 allow all from any to 192.168.53.200
i don't understand why the above rules would stop the client on the subnet from making a connection to the outside. is there another rule i need to add?
_______________________________________________ [EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to"[EMAIL PROTECTED]"
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
