hexdragon
July 28th, 2004, 14:05
Network Trouble - Deals with natd and ipfw

(Foreword: This is my first post in this forum, so I'm sorry if anything about this post is not within the normal, accepted behaviour here)

EDIT: Thanks elmore for moving the thread; I'll try and keep it in the correct forum henceforth.

EDIT: I am considering using ipf and ipnat... I will attempt to tonight and post my results.

Alright, I am trying to setup my FreeBSD 4.10 computer to act as a router. When I only have one computer connected to it via crossover cable, everything works just as I would hope. However, once that crossover connection is replaced with:

|, --- = cat5 cable

Router (FreeBSD)
|
switch --- linux server
|
windows computer


I am no longer able to ssh or access http (or anything else I assume, but those are the only two thing I am trying to use) from outside my lan. I am able to surf the web normally and am able to use the services while inside the lan (e.g. ssh-ing to 192.168.1.100). Also, I am sometimes unable to SSH to 192.168.1.1 (the router). It transmits the DSA fingerprint and I accept it; after, nothing happens. The following are the relavent configuration files (any suggestions are HIGHLY appreciated) (personally, I think the problem lies within /etc/ipfw.conf as /etc/natd.conf seems simple enough and is in keeping with every source I've read).:

/etc/rc.conf

gateway_enable="YES"
#forward_sourceroute="NO"
#accept_sourceroute="NO"
firewall_enable="YES"
#kern_securelevel_enable="NO"
#nfs_reserved_port_only="YES"
#router="/sbin/routed"
#router_enable="YES"
#router_flags="-s"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sshd_enable="YES"
hostname="bulwark.hexdragon.com"
firewall_type="/etc/ipfw.conf"
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="bellsouth"
natd_enable="YES"
ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
#natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
dhcpd_enable="YES"
dhcpd_ifaces="dc0"

/etc/natd.conf

interface tun0
use_sockets yes
same_ports yes
dynamic yes
redirect_port udp 192.168.1.100:80 80
redirect_port tcp 192.168.1.100:80 80
redirect_port udp 192.168.1.100:22 22
redirect_port tcp 192.168.1.100:22 22

/etc/ipfw.conf

add 00100 divert natd all from any to any via tun0
add 00101 allow ip from any to any via lo0
add 00101 deny ip from any to 127.0.0.0/8
add 00200 check-state
add 00400 allow ip from any to any keep-state out
add 00525 allow ip from 192.168.1.0/24 to any keep-state via dc0
add 00550 pass tcp from any to any 22 in via tun0 setup
add 00551 allow udp from any to any 22
add 00600 pass tcp from any to any 80 in via tun0 setup
add 00601 allow udp from any to any 80

elmore
July 29th, 2004, 06:40
Moved this thread to the firewall forum. You might have better success here. Welcome to S.E. :smile: