ipfw, freebsd 4.6, natd redirected ports (NOT)

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Sabation Hunte » Wed, 14 Aug 2002 15:58:51



OK, the first time i tried this was on a 4.3 freebsd some last year..
this time its on a 4.6 machine. The man pages and the articles i have
seen on the net and in the usenet groups all seem to be saying some
simple task of  "-redirect_port tcp 192.168.0.3:80 80" to get the ball
rolling..

I'm sorry.. but that just doesnt cut it for me. I'm not exactly sure
WHAT the magic is that everyone else seems to have.. but this is what
i get when doing this.

My setup:  Freebsd 4.6, Firewall/Gateway Running ipfw  rules and natd
Command output:

0wn3d# natd -redirect_port tcp 192.168.0.2:80 80
natd: aliasing address not given

(reading through man page) I decieded to change the command line a
bit...
0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
natd: Unable to bind divert socket.: Address already in use

(grimacing)

I know for a FACT that i have nothing on 80 running on this machine:
(output of netstat -atn omitted)

In fact.. no matter WHAT port i use.. it still gives me the same
error..

(for shitz and grins)

0wn3d# natd -alias_address <myexternip>  -redirect_port tcp
192.168.0.2:8080 8080
natd: Unable to bind divert socket.: Address already in use

So, i'm asking anyone.. WHAT IS THE MAGIC?

(relavent rc.conf entries)
firewall_enable="YES"
firewall_type="SIMPLE"
firewall_quiet="NO"
firewall_script="/etc/rc.firewall"
firewall_logging="YES"
natd_enable="YES"
natd_interface="fxp0"
natd_flags="-m "

Thanks..

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by twea » Thu, 15 Aug 2002 16:19:36


try add the -redirect_port to your rc.conf under natd_flags
then reboot or exit to singleuser then back to multiuser... it works for
me... and im total newb at this

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Thomas Wo » Thu, 15 Aug 2002 16:37:07


On Mon, 12 Aug 2002 23:58:51 -0700, Sabation Hunter


>OK, the first time i tried this was on a 4.3 freebsd some last year..
>this time its on a 4.6 machine. The man pages and the articles i have
>seen on the net and in the usenet groups all seem to be saying some
>simple task of  "-redirect_port tcp 192.168.0.3:80 80" to get the ball
>rolling..

>I'm sorry.. but that just doesnt cut it for me. I'm not exactly sure
>WHAT the magic is that everyone else seems to have.. but this is what
>i get when doing this.

>My setup:  Freebsd 4.6, Firewall/Gateway Running ipfw  rules and natd
>Command output:

>0wn3d# natd -redirect_port tcp 192.168.0.2:80 80
>natd: aliasing address not given

>(reading through man page) I decieded to change the command line a
>bit...
>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
>natd: Unable to bind divert socket.: Address already in use

You have natd already running (started out of rc, due to
natd_enable="YES" in your rc.conf). It's not complaining
about port 80 but about 8668 (default port natd is listening on).

- Show quoted text -

Quote:>(grimacing)

>I know for a FACT that i have nothing on 80 running on this machine:
>(output of netstat -atn omitted)

>In fact.. no matter WHAT port i use.. it still gives me the same
>error..

>(for shitz and grins)

>0wn3d# natd -alias_address <myexternip>  -redirect_port tcp
>192.168.0.2:8080 8080
>natd: Unable to bind divert socket.: Address already in use

>So, i'm asking anyone.. WHAT IS THE MAGIC?

>(relavent rc.conf entries)
>firewall_enable="YES"
>firewall_type="SIMPLE"
>firewall_quiet="NO"
>firewall_script="/etc/rc.firewall"
>firewall_logging="YES"
>natd_enable="YES"
>natd_interface="fxp0"
>natd_flags="-m "

should be:
natd_flags="-m  -redirect_port tcp 192.168.0.2:80 80"
at the next reboot, natd will use these options.

HTH
Thomas

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by wswa » Thu, 15 Aug 2002 20:40:59


Quote:> 0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
> natd: Unable to bind divert socket.: Address already in use

natd is already running is the reason you get the Address already in
use.
You need to put the options in /etc/rc.conf natd_flags="-redirect_port
tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
far as I know to change natd setting after boot you have to kill it a
restart it.

Here is what I use:

/etc/rc.conf
------------
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
natd_interface="fxp0"

/etc/natd.conf
--------------
use_sockets yes
same_ports yes
dynamic yes
unregistered_only yes
redirect_port tcp 192.168.1.5:9110 9110
redirect_port udp 192.168.1.5:9110 9110
redirect_port tcp 192.168.1.5:6073 6073
redirect_port udp 192.168.1.5:6073 6073
redirect_port tcp 192.168.1.5:47624 47624
redirect_port udp 192.168.1.5:47624 47624
redirect_port tcp 192.168.1.5:2302-2306 2302-2306
redirect_port udp 192.168.1.5:2302-2306 2302-2306
redirect_port tcp 192.168.1.6:2307-2311 2307-2311
redirect_port udp 192.168.1.6:2307-2311 2307-2311

If you change the settings in /etc/natd.conf you will have to kill
natd and restart it like so:

%killall natd
%natd -n fxp0 -f /etc/natd.conf

-Scott

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Beyo de Beyon » Fri, 16 Aug 2002 01:41:12



> try add the -redirect_port to your rc.conf under natd_flags
> then reboot or exit to singleuser then back to multiuser... it works for
> me... and im total newb at this

Tried that first.. didn't change a thing.. thats when i took it out of
the rc.conf and decieded to try on the command line..

:/

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Terrelle Sha » Fri, 16 Aug 2002 07:31:04


Ok Scott,
        I'll try it right now your way.. I had previously had the -redirect_port
in the /etc/rc.conf under natd_flags, but i took it out when i didn't
make a connection to my internal box, thus prompting me to try on the
command line.

Anyways... I'm rebooting the machien now.. we'll see if it works..

Thanks for the responce!

 >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
 >>natd: Unable to bind divert socket.: Address already in use
 >
 >
 > natd is already running is the reason you get the Address already in
 > use.
 > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
 > tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
 > far as I know to change natd setting after boot you have to kill it a
 > restart it.
 >
 > Here is what I use:
 >
 > /etc/rc.conf
 > ------------
 > natd_enable="YES"
 > natd_flags="-f /etc/natd.conf"
 > natd_interface="fxp0"
 >
 >
 > /etc/natd.conf
 > --------------
 > use_sockets yes
 > same_ports yes
 > dynamic yes
 > unregistered_only yes
 > redirect_port tcp 192.168.1.5:9110 9110
 > redirect_port udp 192.168.1.5:9110 9110
 > redirect_port tcp 192.168.1.5:6073 6073
 > redirect_port udp 192.168.1.5:6073 6073
 > redirect_port tcp 192.168.1.5:47624 47624
 > redirect_port udp 192.168.1.5:47624 47624
 > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
 > redirect_port udp 192.168.1.5:2302-2306 2302-2306
 > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
 > redirect_port udp 192.168.1.6:2307-2311 2307-2311
 >
 >
 >
 > If you change the settings in /etc/natd.conf you will have to kill
 > natd and restart it like so:
 >
 > %killall natd
 > %natd -n fxp0 -f /etc/natd.conf
 >
 >
 > -Scott

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Terrelle Sha » Fri, 16 Aug 2002 07:31:28


Ok.. i did exactly what you described.. Still no go..
Is there supposed to be some ipfw rules set? i have added some rules to
allow tcp to my external ip on port 80 on the external interface.. and
also added a rule for my any dest traffic to leave my internal box from
port 80...

What i get from TCPDUMP is that i see the request getting to the
external public ip and port.. but nothing is getting past that to the
internal box..
ineffect.. my firewall is working like a charm.. (too damn good infact)

:/

So the magic is still with you guys..

 >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
 >>natd: Unable to bind divert socket.: Address already in use
 >
 >
 > natd is already running is the reason you get the Address already in
 > use.
 > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
 > tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
 > far as I know to change natd setting after boot you have to kill it a
 > restart it.
 >
 > Here is what I use:
 >
 > /etc/rc.conf
 > ------------
 > natd_enable="YES"
 > natd_flags="-f /etc/natd.conf"
 > natd_interface="fxp0"
 >
 >
 > /etc/natd.conf
 > --------------
 > use_sockets yes
 > same_ports yes
 > dynamic yes
 > unregistered_only yes
 > redirect_port tcp 192.168.1.5:9110 9110
 > redirect_port udp 192.168.1.5:9110 9110
 > redirect_port tcp 192.168.1.5:6073 6073
 > redirect_port udp 192.168.1.5:6073 6073
 > redirect_port tcp 192.168.1.5:47624 47624
 > redirect_port udp 192.168.1.5:47624 47624
 > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
 > redirect_port udp 192.168.1.5:2302-2306 2302-2306
 > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
 > redirect_port udp 192.168.1.6:2307-2311 2307-2311
 >
 >
 >
 > If you change the settings in /etc/natd.conf you will have to kill
 > natd and restart it like so:
 >
 > %killall natd
 > %natd -n fxp0 -f /etc/natd.conf
 >
 >
 > -Scott

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by wswa » Fri, 16 Aug 2002 11:21:52


How are you testing this? You can not test it internally...

I'm also assuming you have your firewall setup right.. How do you have
it setup right now?

-Scott


> Ok.. i did exactly what you described.. Still no go..
> Is there supposed to be some ipfw rules set? i have added some rules to
> allow tcp to my external ip on port 80 on the external interface.. and
> also added a rule for my any dest traffic to leave my internal box from
> port 80...

> What i get from TCPDUMP is that i see the request getting to the
> external public ip and port.. but nothing is getting past that to the
> internal box..
> ineffect.. my firewall is working like a charm.. (too damn good infact)

> :/

> So the magic is still with you guys..


>  >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
>  >>natd: Unable to bind divert socket.: Address already in use

>  > natd is already running is the reason you get the Address already in
>  > use.
>  > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
>  > tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
>  > far as I know to change natd setting after boot you have to kill it a
>  > restart it.

>  > Here is what I use:

>  > /etc/rc.conf
>  > ------------
>  > natd_enable="YES"
>  > natd_flags="-f /etc/natd.conf"
>  > natd_interface="fxp0"

>  > /etc/natd.conf
>  > --------------
>  > use_sockets yes
>  > same_ports yes
>  > dynamic yes
>  > unregistered_only yes
>  > redirect_port tcp 192.168.1.5:9110 9110
>  > redirect_port udp 192.168.1.5:9110 9110
>  > redirect_port tcp 192.168.1.5:6073 6073
>  > redirect_port udp 192.168.1.5:6073 6073
>  > redirect_port tcp 192.168.1.5:47624 47624
>  > redirect_port udp 192.168.1.5:47624 47624
>  > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
>  > redirect_port udp 192.168.1.5:2302-2306 2302-2306
>  > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
>  > redirect_port udp 192.168.1.6:2307-2311 2307-2311

>  > If you change the settings in /etc/natd.conf you will have to kill
>  > natd and restart it like so:

>  > %killall natd
>  > %natd -n fxp0 -f /etc/natd.conf

>  > -Scott

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Sabation Hunte » Thu, 15 Aug 2002 12:44:29


At the time of the last post, i was testing externally from my  box. (
i know of the nat translation issue trying to test this internally)

My rc.firewall rules will follow ..
Maybe i'm blocking it from getting to it even tho i have a rule for
port 80 to be accessable .. <shrug>

--- <rc.firewall>
       # Allow TCP through if setup succeeded
        ${fwcmd} add pass tcp from any to any established
        ${fwcmd} add pass all from any to any via ${iif}
        ${fwcmd} add pass all from ${onet}:${omask} to any out via
${oif}

        # Allow IP fragments to pass through
        ${fwcmd} add pass all from any to any frag

        # Allow setup of incoming email
        ${fwcmd} add pass tcp from any to ${oip} 25 setup

        #allow SSH into my box
        ${fwcmd} add pass tcp from any to ${oip} 22 setup
        ${fwcmd} add pass tcp from any to ${iip} 22 setup

        #Allow icmp traffic (tshaw)
        ${fwcmd} add pass icmp from ${oip} to any
        ${fwcmd} add pass icmp from any to ${oip}
        ${fwcmd} add pass icmp from ${inet}:${imask} to any
        ${fwcmd} add pass icmp from any to ${inet}:${imask}

        # Allow access to our DNS
        ${fwcmd} add allow udp from any to <isp DNS> 53 out xmit fxp0
        ${fwcmd} add allow udp from <isp dns> 53 to any in recv fxp0
        ${fwcmd} add pass tcp from any to ${oip} 53 setup
        ${fwcmd} add pass udp from any to ${oip} 53
        ${fwcmd} add pass udp from ${oip} 53 to any
        ${fwcmd} add pass udp from any 53 to any
        ${fwcmd} add pass udp from any to any 53

        # Allow access to our WWW
        ${fwcmd} add pass tcp from any to ${oip} 80 setup

        # Reject&Log all setup of incoming connections from the
outside
        ${fwcmd} add deny log tcp from any to any in via ${oif} setup

        # Allow setup of any other TCP connection
        ${fwcmd} add pass tcp from any to any setup

        # Allow DNS queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 53 keep-state
        # Allow NTP queries out in the world
        ${fwcmd} add pass udp from ${oip} to any 123 keep-state

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.
        ;;

Thanks to any and all who is following this and helping..


>How are you testing this? You can not test it internally...

>I'm also assuming you have your firewall setup right.. How do you have
>it setup right now?

>-Scott


>> Ok.. i did exactly what you described.. Still no go..
>> Is there supposed to be some ipfw rules set? i have added some rules to
>> allow tcp to my external ip on port 80 on the external interface.. and
>> also added a rule for my any dest traffic to leave my internal box from
>> port 80...

>> What i get from TCPDUMP is that i see the request getting to the
>> external public ip and port.. but nothing is getting past that to the
>> internal box..
>> ineffect.. my firewall is working like a charm.. (too damn good infact)

>> :/

>> So the magic is still with you guys..


>>  >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
>>  >>natd: Unable to bind divert socket.: Address already in use

>>  > natd is already running is the reason you get the Address already in
>>  > use.
>>  > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
>>  > tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
>>  > far as I know to change natd setting after boot you have to kill it a
>>  > restart it.

>>  > Here is what I use:

>>  > /etc/rc.conf
>>  > ------------
>>  > natd_enable="YES"
>>  > natd_flags="-f /etc/natd.conf"
>>  > natd_interface="fxp0"

>>  > /etc/natd.conf
>>  > --------------
>>  > use_sockets yes
>>  > same_ports yes
>>  > dynamic yes
>>  > unregistered_only yes
>>  > redirect_port tcp 192.168.1.5:9110 9110
>>  > redirect_port udp 192.168.1.5:9110 9110
>>  > redirect_port tcp 192.168.1.5:6073 6073
>>  > redirect_port udp 192.168.1.5:6073 6073
>>  > redirect_port tcp 192.168.1.5:47624 47624
>>  > redirect_port udp 192.168.1.5:47624 47624
>>  > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
>>  > redirect_port udp 192.168.1.5:2302-2306 2302-2306
>>  > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
>>  > redirect_port udp 192.168.1.6:2307-2311 2307-2311

>>  > If you change the settings in /etc/natd.conf you will have to kill
>>  > natd and restart it like so:

>>  > %killall natd
>>  > %natd -n fxp0 -f /etc/natd.conf

>>  > -Scott

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by wswa » Fri, 16 Aug 2002 21:48:20


The orignal rc.firewall has a line that adds the divert rule.. do you
still have this?

Clip from rc.firewall
---------------------
case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd all from any to any
via ${natd_
interface}
                fi
                ;;
        esac
---------------------

If you do "ipfw show" you should see a divert rule, without it a
packet never gets to natd. It needs to be one of the first rules.
(Trick: You can test internaly if the divert rule is "via any")

%ipfw show
00050 3669724 2054077598 divert 8668 ip from any to any via fxp0
00100  117068   25512096 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
65000 3669709 2054057003 allow ip from any to any
65535       0          0 deny ip from any to any

-Scott


> At the time of the last post, i was testing externally from my  box. (
> i know of the nat translation issue trying to test this internally)

> My rc.firewall rules will follow ..
> Maybe i'm blocking it from getting to it even tho i have a rule for
> port 80 to be accessable .. <shrug>

> --- <rc.firewall>
>        # Allow TCP through if setup succeeded
>         ${fwcmd} add pass tcp from any to any established
>         ${fwcmd} add pass all from any to any via ${iif}
>         ${fwcmd} add pass all from ${onet}:${omask} to any out via
> ${oif}

>         # Allow IP fragments to pass through
>         ${fwcmd} add pass all from any to any frag

>         # Allow setup of incoming email
>         ${fwcmd} add pass tcp from any to ${oip} 25 setup

>         #allow SSH into my box
>         ${fwcmd} add pass tcp from any to ${oip} 22 setup
>         ${fwcmd} add pass tcp from any to ${iip} 22 setup

>         #Allow icmp traffic (tshaw)
>         ${fwcmd} add pass icmp from ${oip} to any
>         ${fwcmd} add pass icmp from any to ${oip}
>         ${fwcmd} add pass icmp from ${inet}:${imask} to any
>         ${fwcmd} add pass icmp from any to ${inet}:${imask}

>         # Allow access to our DNS
>         ${fwcmd} add allow udp from any to <isp DNS> 53 out xmit fxp0
>         ${fwcmd} add allow udp from <isp dns> 53 to any in recv fxp0
>         ${fwcmd} add pass tcp from any to ${oip} 53 setup
>         ${fwcmd} add pass udp from any to ${oip} 53
>         ${fwcmd} add pass udp from ${oip} 53 to any
>         ${fwcmd} add pass udp from any 53 to any
>         ${fwcmd} add pass udp from any to any 53

>         # Allow access to our WWW
>         ${fwcmd} add pass tcp from any to ${oip} 80 setup

>         # Reject&Log all setup of incoming connections from the
> outside
>         ${fwcmd} add deny log tcp from any to any in via ${oif} setup

>         # Allow setup of any other TCP connection
>         ${fwcmd} add pass tcp from any to any setup

>         # Allow DNS queries out in the world
>         ${fwcmd} add pass udp from ${oip} to any 53 keep-state
>    # Allow NTP queries out in the world
>         ${fwcmd} add pass udp from ${oip} to any 123 keep-state

>         # Everything else is denied by default, unless the
>         # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>         # config file.
>         ;;

> Thanks to any and all who is following this and helping..


> >How are you testing this? You can not test it internally...

> >I'm also assuming you have your firewall setup right.. How do you have
> >it setup right now?

> >-Scott


> >> Ok.. i did exactly what you described.. Still no go..
> >> Is there supposed to be some ipfw rules set? i have added some rules to
> >> allow tcp to my external ip on port 80 on the external interface.. and
> >> also added a rule for my any dest traffic to leave my internal box from
> >> port 80...

> >> What i get from TCPDUMP is that i see the request getting to the
> >> external public ip and port.. but nothing is getting past that to the
> >> internal box..
> >> ineffect.. my firewall is working like a charm.. (too damn good infact)

> >> :/

> >> So the magic is still with you guys..


> >>  >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
> >>  >>natd: Unable to bind divert socket.: Address already in use

> >>  > natd is already running is the reason you get the Address already in
> >>  > use.
> >>  > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
> >>  > tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
> >>  > far as I know to change natd setting after boot you have to kill it a
> >>  > restart it.

> >>  > Here is what I use:

> >>  > /etc/rc.conf
> >>  > ------------
> >>  > natd_enable="YES"
> >>  > natd_flags="-f /etc/natd.conf"
> >>  > natd_interface="fxp0"

> >>  > /etc/natd.conf
> >>  > --------------
> >>  > use_sockets yes
> >>  > same_ports yes
> >>  > dynamic yes
> >>  > unregistered_only yes
> >>  > redirect_port tcp 192.168.1.5:9110 9110
> >>  > redirect_port udp 192.168.1.5:9110 9110
> >>  > redirect_port tcp 192.168.1.5:6073 6073
> >>  > redirect_port udp 192.168.1.5:6073 6073
> >>  > redirect_port tcp 192.168.1.5:47624 47624
> >>  > redirect_port udp 192.168.1.5:47624 47624
> >>  > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
> >>  > redirect_port udp 192.168.1.5:2302-2306 2302-2306
> >>  > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
> >>  > redirect_port udp 192.168.1.6:2307-2311 2307-2311

> >>  > If you change the settings in /etc/natd.conf you will have to kill
> >>  > natd and restart it like so:

> >>  > %killall natd
> >>  > %natd -n fxp0 -f /etc/natd.conf

> >>  > -Scott

 
 
 

ipfw, freebsd 4.6, natd redirected ports (NOT)

Post by Sabation Hunte » Sat, 17 Aug 2002 14:06:59


Yes i had that.. I didn't send it do to that was the default.. i only
posted what i added..

ok.  Thanks for your suggestions.. i found what the problem was today.
After posting the rc.firewall rules i really keep lookin at that for
the source of my problem. I ran tcpdump on the external interface (
tcpdump -i fxp0 port 80 )
and the internal interface ( tcpdump -i dc0 'not port ssh' )   (I
wanted to see all my traffic except my ssh traffic which i was loggin
as)

Then i went to the internal box and did a (tcpdump -i eth0 port 80) So
i can see if any traffic hits the box it at all..

So things i found was that packets WHERE hitting the external
interface (fxp0) and ( from tcpdump) the dest port was redirecting to
the internal ip of the box i wanted ( good thing), But i saw NO
traffic on the internal interface card (dc0) nor on the internal ip of
the box (eth0).  

So that made me think that it was getting dropped somewhere.. so i
look  in the log file for my denyied packets.. and sure enough there
was a rule (not the last one) that was deny the packets.  once i
removed that rule.. i saw traffic flow through and web server came
alive.  :)

Basically i had put a deny all rule higher in the "chain" of rules
than i wanted ( show below in my previous post of rc.firewall)

All is well now.. Thanks for the troubleshootin tips..

:)

On 15 Aug 2002 05:48:20 -0700, wsw...@hotmail.com (wsware) wrote:

>The orignal rc.firewall has a line that adds the divert rule.. do you
>still have this?

>Clip from rc.firewall
>---------------------
>case ${natd_enable} in
>        [Yy][Ee][Ss])
>                if [ -n "${natd_interface}" ]; then
>                        ${fwcmd} add divert natd all from any to any
>via ${natd_
>interface}
>                fi
>                ;;
>        esac
>---------------------

>If you do "ipfw show" you should see a divert rule, without it a
>packet never gets to natd. It needs to be one of the first rules.
>(Trick: You can test internaly if the divert rule is "via any")

>%ipfw show
>00050 3669724 2054077598 divert 8668 ip from any to any via fxp0
>00100  117068   25512096 allow ip from any to any via lo0
>00200       0          0 deny ip from any to 127.0.0.0/8
>00300       0          0 deny ip from 127.0.0.0/8 to any
>65000 3669709 2054057003 allow ip from any to any
>65535       0          0 deny ip from any to any

>-Scott

>Sabation Hunter <i...@farscape.net> wrote in message <news:sfjjluccj64tg153sm97bcb3rgn32bqki5@4ax.com>...
>> At the time of the last post, i was testing externally from my  box. (
>> i know of the nat translation issue trying to test this internally)

>> My rc.firewall rules will follow ..
>> Maybe i'm blocking it from getting to it even tho i have a rule for
>> port 80 to be accessable .. <shrug>

>> --- <rc.firewall>
>>        # Allow TCP through if setup succeeded
>>         ${fwcmd} add pass tcp from any to any established
>>         ${fwcmd} add pass all from any to any via ${iif}
>>         ${fwcmd} add pass all from ${onet}:${omask} to any out via
>> ${oif}

>>         # Allow IP fragments to pass through
>>         ${fwcmd} add pass all from any to any frag

>>         # Allow setup of incoming email
>>         ${fwcmd} add pass tcp from any to ${oip} 25 setup

>>         #allow SSH into my box
>>         ${fwcmd} add pass tcp from any to ${oip} 22 setup
>>         ${fwcmd} add pass tcp from any to ${iip} 22 setup

>>         #Allow icmp traffic (tshaw)
>>         ${fwcmd} add pass icmp from ${oip} to any
>>         ${fwcmd} add pass icmp from any to ${oip}
>>         ${fwcmd} add pass icmp from ${inet}:${imask} to any
>>         ${fwcmd} add pass icmp from any to ${inet}:${imask}

>>         # Allow access to our DNS
>>         ${fwcmd} add allow udp from any to <isp DNS> 53 out xmit fxp0
>>         ${fwcmd} add allow udp from <isp dns> 53 to any in recv fxp0
>>         ${fwcmd} add pass tcp from any to ${oip} 53 setup
>>         ${fwcmd} add pass udp from any to ${oip} 53
>>         ${fwcmd} add pass udp from ${oip} 53 to any
>>         ${fwcmd} add pass udp from any 53 to any
>>         ${fwcmd} add pass udp from any to any 53

>>         # Allow access to our WWW
>>         ${fwcmd} add pass tcp from any to ${oip} 80 setup

>>         # Reject&Log all setup of incoming connections from the
>> outside

        ${fwcmd} add deny log tcp from any to any in via ${oif} setup

- Show quoted text -

>>         # Allow setup of any other TCP connection
>>         ${fwcmd} add pass tcp from any to any setup

>>         # Allow DNS queries out in the world
>>         ${fwcmd} add pass udp from ${oip} to any 53 keep-state
>>        # Allow NTP queries out in the world
>>         ${fwcmd} add pass udp from ${oip} to any 123 keep-state

>>         # Everything else is denied by default, unless the
>>         # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
>>         # config file.
>>         ;;

>> Thanks to any and all who is following this and helping..

>> On 14 Aug 2002 19:21:52 -0700, wsw...@hotmail.com (wsware) wrote:

>> >How are you testing this? You can not test it internally...

>> >I'm also assuming you have your firewall setup right.. How do you have
>> >it setup right now?

>> >-Scott

>> >Terrelle Shaw <hs...@safeweb.com> wrote in message <news:3D5ADA40.2000202@safeweb.com>...
>> >> Ok.. i did exactly what you described.. Still no go..
>> >> Is there supposed to be some ipfw rules set? i have added some rules to
>> >> allow tcp to my external ip on port 80 on the external interface.. and
>> >> also added a rule for my any dest traffic to leave my internal box from
>> >> port 80...

>> >> What i get from TCPDUMP is that i see the request getting to the
>> >> external public ip and port.. but nothing is getting past that to the
>> >> internal box..
>> >> ineffect.. my firewall is working like a charm.. (too damn good infact)

>> >> :/

>> >> So the magic is still with you guys..

>> >> wsware wrote:
>> >>  >>0wn3d# natd -interface fxp0 -redirect_port tcp 192.168.0.2:80 80
>> >>  >>natd: Unable to bind divert socket.: Address already in use

>> >>  > natd is already running is the reason you get the Address already in
>> >>  > use.
>> >>  > You need to put the options in /etc/rc.conf natd_flags="-redirect_port
>> >>  > tcp 192.168.0.2:80 80"  or better yet point it to a config file. As
>> >>  > far as I know to change natd setting after boot you have to kill it a
>> >>  > restart it.

>> >>  > Here is what I use:

>> >>  > /etc/rc.conf
>> >>  > ------------
>> >>  > natd_enable="YES"
>> >>  > natd_flags="-f /etc/natd.conf"
>> >>  > natd_interface="fxp0"

>> >>  > /etc/natd.conf
>> >>  > --------------
>> >>  > use_sockets yes
>> >>  > same_ports yes
>> >>  > dynamic yes
>> >>  > unregistered_only yes
>> >>  > redirect_port tcp 192.168.1.5:9110 9110
>> >>  > redirect_port udp 192.168.1.5:9110 9110
>> >>  > redirect_port tcp 192.168.1.5:6073 6073
>> >>  > redirect_port udp 192.168.1.5:6073 6073
>> >>  > redirect_port tcp 192.168.1.5:47624 47624
>> >>  > redirect_port udp 192.168.1.5:47624 47624
>> >>  > redirect_port tcp 192.168.1.5:2302-2306 2302-2306
>> >>  > redirect_port udp 192.168.1.5:2302-2306 2302-2306
>> >>  > redirect_port tcp 192.168.1.6:2307-2311 2307-2311
>> >>  > redirect_port udp 192.168.1.6:2307-2311 2307-2311

>> >>  > If you change the settings in /etc/natd.conf you will have to kill
>> >>  > natd and restart it like so:

>> >>  > %killall natd
>> >>  > %natd -n fxp0 -f /etc/natd.conf

>> >>  > -Scott