natd in verbose mode: strange output

natd in verbose mode: strange output

Post by Paulastya Gupt » Fri, 20 Aug 1999 04:00:00



Hi all,

I tried running natd in verbose mode since I was having
some performance problems.
Got the following (cut and paste from screen).
Any clues why its doing all of these translations?
Where are the 10.x.x.x addresses coming from?  My
private addresses for my LAN are 192.168.1.x

Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
In [ICMP] [ICMP] 24.1.75.162 -> 224.0.0.2 10(0) aliased to
[ICMP] 24.1.75.162 -> 224.0.0.2 10(0)
In [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 10.0.0.3:68 -> 10.0.0.255:67
Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
In [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 10.0.0.3:68 -> 10.0.0.255:67
Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
In [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 10.0.0.3:68 -> 10.0.0.255:67
Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
In [UDP] [UDP] 192.168.1.1:68 -> 255.255.255.255:67 aliased to
[UDP] 192.168.1.1:68 -> 255.255.255.255:67
In [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 10.0.0.3:68 -> 10.0.0.255:67
Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
^C
firewall#

Any input would be appreciated.

Thanks, Paul

 
 
 

natd in verbose mode: strange output

Post by Stephen Wait » Fri, 20 Aug 1999 04:00:00


Can you paste dumps of an "ifconfig -a" and a "netstat -r"?

Thanks,
Steve

 
 
 

natd in verbose mode: strange output

Post by Paulastya Gupt » Sat, 21 Aug 1999 04:00:00


Steve,

Per your request, files shown below with original mail following.
I have also included natd.cf, rc.firewall and rc.conf for this machine.

Thanks for your help.
Paul
prgu...@konimn.com

--

Stephen Waits wrote:

  Can you paste dumps of an "ifconfig -a" and a "netstat -r"?

  Thanks,
  Steve

ifconfig -a
===========
firewall# ifconfig -a
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:50:04:e3:bb:26
        media: 10baseT/UTP <half-duplex>
        supported media: autoselect 100baseTX <full-duplex> 100baseTX
<half-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP
<half-duplex> 10baseT/UTP
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 24.1.71.151 netmask 0xfffff000 broadcast 24.1.79.255
        ether 00:a0:24:c0:2c:38
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
ds0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 65532
        inet 192.168.1.254 netmask 0xffffffff
firewall#

netstat -r
==========
firewall# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif
Expire
default            r1-fe0-0-100bt.frm UGSc       12  3886619      ep0
24.1.64/20         link#2             UC          0        0      ep0
r1-fe0-0-100bt.frm 0:60:47:27:cd:0    UHLW       11     2382      ep0
1196
news1.frmt1.sfba.h 8:0:20:ab:e7:9     UHLW        0      102      ep0
466
proxy1.frmt1.sfba. 8:0:69:5:51:9d     UHLW        0       12      ep0
1189
proxy2.frmt1.sfba. 8:0:69:5:55:d2     UHLW        0       24      ep0
1146
c1001206-a.frmt1.s 0:a0:c9:1e:98:20   UHLW        0       10      ep0
1153
c724102-a.frmt1.sf 0:e0:29:48:19:4c   UHLW        0        4      ep0
1076
localhost          localhost          UH          1      245      lo0
192.168.1          link#1             UC          0        0      xl0
192.168.1.2        0:10:4b:f1:c4:aa   UHLW        1   684448      xl0
913
192.168.1.254      192.168.1.254      UH          0        0      ds0
firewall#

My Original post
============
Hi all,

I tried running natd in verbose mode since I was having
some performance problems.
Got the following (cut and paste from screen).
Any clues why its doing all of these translations?
Where are the 10.x.x.x addresses coming from?  My
private addresses for my LAN are 192.168.1.x

Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
In [ICMP] [ICMP] 24.1.75.162 -> 224.0.0.2 10(0) aliased to
[ICMP] 24.1.75.162 -> 224.0.0.2 10(0)
In [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 10.0.0.3:68 -> 10.0.0.255:67
Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
[UDP] 24.1.71.151:68 -> 10.0.0.255:67
...(stuff deleted)...

--

[ natd.cf 3K ]
# Enable logging to file /var/log/alias.log
#
#log            yes
# We're using CLOG for this.
#
# Incoming connections.  Should NEVER be set to "yes" if redirect_port,
# redirect_address, or permanent_link statements are activated in this file!
#
# Setting to yes provides additional anti-crack protection
#
deny_incoming   no
#
# Use sockets to avoid port clashes.  Uses additional system resources, but
# guarantees successful connections when port numbers conflict
#
use_sockets     yes
same_ports      yes
#
# Verbose mode. Enables dumping of packets and disables
# forking to background.  Only set to yes for debugging.
#
verbose         no
#
# Divert port. Can be a name in /etc/services or numeric value.
#
port            natd
#
# Interface name or address being aliased. Either one,
# not both is required.
#
# Obtain interface name from the command output of "ifconfig -a"
#
# alias_address 192.168.0.1
interface       ep0
#
# Alias unregistered addresses or all addresses.  Set this to yes if
# the inside network is all RFC1918 addresses.
#
unregistered_only       no
#
# Configure permanent links. If you use host names instead
# of addresses here, be sure that name server works BEFORE
# natd is up - this is usually not the case. So either use
# numeric addresses or hosts that are in /etc/hosts.
#
# Note:  Current versions of FreeBSD all call /etc/rc.firewall
# BEFORE running named, so if the DNS server and NAT are on the same
# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
#
# Map connections coming to port 30000 to telnet in my_private_host.
# Remember to allow the connection /etc/rc.firewall also.
#
#  The following permanent_link and redirect_port statements are equivalent
#permanent_link         tcp my_private_host:telnet 0.0.0.0:0 30000
#redirect_port          tcp my_private_host:telnet 30000
#
# Map connections coming from host.xyz.com to port 30001 to
# telnet in another_host.
#permanent_link         tcp another_host:telnet host.xyz.com:0 30001
#
# Static NAT address mapping:
#
#  ipconfig must apply any legal IP numbers that inside hosts
# will be known by to the outside interface.  These are sometimes known as
# virtual IP numbers.  It's suggested to use the "interface" directive
# instead of the "alias_address" directive to make it more clear what is
# going on. (although both will work)
#
# DNS in this situation can get hairy.  For example, an inside host
# named aweb.company.com is located at 192.168.1.56, and needs to be
# accessible through a legal IP number like 198.105.232.1.  If both
# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
# for aweb.company.com, then external hosts attempting to access
# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
#
# The obvious solution is to use only a single address for the name, the
# outside address.  However, this creates needless traffic through the
# NAT, because inside hosts will go through the NAT to get to the legal
# number, even when the inside number is on the same subnet as they are!
#
# It's probably not a good idea to use DNS names in redirect_address statements
#
#The following mapping points outside address 198.105.232.1 to 192.168.1.56
#redirect_address  192.168.1.56         198.105.232.1

[ rc.conf < 1K ]
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.

# -- sysinstall generated deltas -- #
network_interfaces="ds0 xl0 ep0 lo0"
ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_ep0="inet 24.1.71.151 netmask 255.255.240.0"
ifconfig_ds0="inet 192.168.1.254 netmask 255.255.255.255"
defaultrouter="24.1.64.1"
hostname="firewall.pageplease.com"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
#firewall_type="pageplease"
firewall_quiet="NO"
gateway_enable="YES"
named_enable="YES"

[ rc.firewall 5K ]
############
# Setup system for firewall service.
# $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $

# Suck in the configuration variables.
if [ -f /etc/defaults/rc.conf ]; then
        . /etc/defaults/rc.conf
elif [ -f /etc/rc.conf ]; then
        . /etc/rc.conf
fi

if [ "x$1" != "x" ]; then
        firewall_type=$1
fi

############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
        fwcmd="/sbin/ipfw -q"
else
        fwcmd="/sbin/ipfw"
fi

############
# Flush out the list before we begin.
$fwcmd -f flush

############
# These rules are required for using natd.  All packets are passed to
# natd before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
        $fwcmd add divert natd all from any to any via ${natd_interface}
fi

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.

# $fwcmd add 65000 pass all from any to any

############
# Only in rare cases do you want to change these rules
$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8
$fwcmd add 250 allow all from 63.192.211.186 to any
$fwcmd add 251 allow all from any to 63.192.211.186
$fwcmd add 252 allow all from 206.169.121.100 to any
$fwcmd add 253 allow all from any to 206.169.121.100
$fwcmd add 254 allow all from 24.1.64.33 to any
$fwcmd add 255 allow all from any to 24.1.64.33
$fwcmd add 256 allow tcp from any to any 22
$fwcmd add 257 allow tcp from any 22 to any
$fwcmd add 300 divert natd ip from any to any via ep0

# Prototype setups.
if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then

        $fwcmd add deny tcp from any to 24.1.71.151 8080 via ep0
        $fwcmd add 65000 pass all from any to any

elif [ "${firewall_type}" = "client" ]; then

    ############
    # This is a prototype setup that will protect your system somewhat against
    # people from outside your own network.
    ############

    # set these to your network and netmask and ip
    net="192.168.4.0"
    mask="255.255.255.0"
    ip="192.168.4.17"

    # Allow any traffic to or from my own net.
    $fwcmd add pass all from ${ip} to ${net}:${mask}
    $fwcmd add pass all from ${net}:${mask} to ${ip}

    # Allow TCP through if setup succeeded
    $fwcmd add pass tcp from any to any established

    # Allow setup of incoming email
    $fwcmd add pass tcp from any to ${ip} 25 setup

    # Allow setup of outgoing TCP connections only
    $fwcmd add pass tcp from ${ip} to any setup

    # Disallow setup of all other TCP connections
    $fwcmd add deny tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${ip}
    $fwcmd add pass udp from ${ip} to any 53

    # Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${ip}
    $fwcmd add pass udp from ${ip} to any 123

    # Everything else is denied as default.

elif [ "${firewall_type}" = "pageplease" ]; then

    # set these to your outside interface network and netmask and ip
    oif="ep0"
    onet="24.1.71.0"
    omask="255.255.240.0"
    oip="24.1.71.151"

    # set these to your inside interface network and netmask and ip
    iif="xl0"
    inet="192.168.1.0"
    imask="255.255.255.0"
    iip="192.168.1.70"
    natd_interface="ep0"

    # Natd Rule
    $fwcmd add divert natd all from any to any via ${natd_interface}

    # Stop spoofing
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

    # Allow TCP through if setup succeeded
    $fwcmd add pass tcp from any to any established

    # Allow setup of SSH
    $fwcmd add pass tcp from any to ${iip} 22 setup

    # Allow setup of incoming email
    #$fwcmd add pass tcp from any to ${oip} 25 setup

    # Allow access to our DNS
    # $fwcmd add pass tcp from any to ${oip} 53 setup

    # Allow access to our WWW
    $fwcmd add pass tcp from any to ${oip} 80 setup

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    $fwcmd add pass tcp from any to any setup

    # Allow DNS queries out in the world
    $fwcmd add pass udp from any 53 to ${oip}
    $fwcmd add pass udp from ${oip} to any 53

    # Allow NTP queries out in the world
    $fwcmd add pass udp from any 123 to ${oip}
    $fwcmd add pass udp from ${oip} to any 123

    # Everything else is denied as default.

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
        $fwcmd ${firewall_type}
fi

 
 
 

natd in verbose mode: strange output

Post by Jerry Gardn » Sat, 21 Aug 1999 04:00:00



>Hi all,

>I tried running natd in verbose mode since I was having
>some performance problems.
>Got the following (cut and paste from screen).
>Any clues why its doing all of these translations?
>Where are the 10.x.x.x addresses coming from?  My
>private addresses for my LAN are 192.168.1.x

>Out [UDP] [UDP] 10.0.0.3:68 -> 10.0.0.255:67 aliased to
>[UDP] 24.1.71.151:68 -> 10.0.0.255:67
>In [ICMP] [ICMP] 24.1.75.162 -> 224.0.0.2 10(0) aliased to

Paul,


seen all kinds of bizarre stuff on their network over the last 1-1/2
years since I've had their service.

--
Jerry Gardner     | "Bill Clinton has all the steely resolve

 
 
 

1. Verbose output vs. discarding output

Shell is ksh

I want to add a [-v] switch to a shell function to either be verbose or,
in the absense of this switch, send all stdout and stderr to /dev/null.

What is the best practice for this?

Something like

[Use getopts or regular command line processing to set $verbose]

[[ ! -z $verbose ]] && output=/dev/fd/0 || output=/dev/null
exec 1>$output 2>&1
...

Does the 'exec' apply to the calling script as well? (I dont want it to)

Any other way to do this? Thanks

2. What's the best heat sink/fan for Pentium III (socket version)

3. verbose last output?

4. UUEncode/Decode format

5. How do I got more verbose output with sendmail?

6. Opportunities on the coasts

7. MPICH to display verbose SSH output

8. HELP -- My yacc is sick

9. kbuild: Smart notation for non-verbose output

10. cannot get all verbose ksh output into a log file

11. Verbose mode for rpm?

12. Booting in verbose mode

13. sshd2 won't fork in verbose mode