OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: NATD problem
From: Mike Hoskins (mikeadept.org)
Date: Sat Jul 22 2000 - 14:57:25 CDT

On Sat, 22 Jul 2000 George.Gilesmcmail.vanderbilt.edu wrote:

> My firewall works fine, but NATD does not route my gateway requests
> properly. The private ip addresses do not route from mx1 (iip) through mx0
> (oip).

Has this worked before, and only broken recently... or is this still a
first attempt to get it working?

What options do you have compiled into your kernel? I have:

        # Firewall/NATD
        options IPFIREWALL
        options IPFIREWALL_VERBOSE
        options IPFIREWALL_VERBOSE_LIMIT=64
        options IPDIVERT

Does this show up in your dmesg output?

        [69]mikesnafu{mike}$ dmesg|grep div
        IP packet filtering initialized, divert enabled, rule-based forwarding
        disabled, default to deny, logging limited to 64 packets/entry by default

What flags are you passing natd? What's in /etc/rc.conf? I have:

        natd_enable="YES"
        natd_flags="-s -m -u"

And see the following running:

        [70]mikesnafu{mike}$ ps ax|grep nat
           90 ?? Ss 0:24.61 /sbin/natd -s -m -u -n fxp0

For my firewall I have:

        firewall_enable="YES"
        firewall_type="/etc/rc.firewall.snafu"

But you're probably running firewall_type="OPEN" (which is fine for
initial setup/testing).

Is your box set to be a gateway? I have this in /etc/rc.conf:

        gateway_enable="YES"

With these options, NATD's been working perfectly for me under RELENG_4
for awhile now. If you already have all of this, have you tested basic
connectivity? Can you ping from the inside host(s) to the gw
machine? Can you ping from the gw machine to the inside host(s)? Can the
gw machine ping outside? Are your NICs configured properly on all
machines (duplex, etc.)?

> # Allow inside out
> $fwcmd add divert natd all from any to any via ${oif}
>
> $fwcmd add pass tcp from ${iip} to ${oip} 8668 setup
> $fwcmd add pass tcp from ${iip} to any 8668

Have you tried just running firewall_type="OPEN"? I'm running a custom
rulechain, but OPEN basically goes like this:

        divert 8668 ip from any to any via OIF
        allow ip from any to any via lo0
        deny ip from any to 127.0.0.0/8
        allow ip from any to any

Alternatively, you may want to take advantage of ipfw's new 'check-state'
capabilities and setup something like what I have...

        divert 8668 ip from any to any via OIF
        allow ip from any to any via lo0
        deny ip from any to 127.0.0.0/8
        check-state
        allow ip from OIP to any keep-state
        allow ip from INW to any keep-state
        #
        # rules to allow specific inbound traffic
        #
        deny ip from any to any

OIF == Outside InterFace
OIP == Outside IP address
INW == Inside NetWork

This let's my LAN 'talk' to the outside world (rules are created on the
fly), allows inbound traffic I want, and deny's everything else.

Good luck,

-mrh

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message