freebsd stable - Mar 2003 - Natd stops working on Firewall

Thanks Ruslan ;
I'll give it a try right now.

Just want to send this out before I switch firewalls,
assuming I might be down for an hour or so tweaking.

oip and iip are static variables in rc.firewall but
under DHCP oip is a moving target. Is there a recommended
way to pass these to rc.firewall so a re-edit is not needed?

Thanks Again
Scot

-----Original Message-----
From: Ruslan Ermilov [mailto:ru@FreeBSD.ORG]
Sent: Tuesday, March 25, 2003 4:20 AM
To: Scot
Cc: FreeBSD Stable; ipfw@FreeBSD.ORG
Subject: Re: Natd stops working on Firewall


On Mon, Mar 24, 2003 at 09:52:32PM -0500, Scot wrote:
> Hi;
>
> Just setup my FreeBSD 4.7 Firewall using the docs
> outlined in the handbook.
>
What docs you have used to set up the firewall?
> The install went on and
> everything seems to be working fine then boom.
> The system seems to stop routing traffic. No
> messages in the security log or natd log as to why.
>
> I made sure it was logging by nmaping my box from the
> outside. I even ran natd in the foreground and it still didn't
> tell me what was going on.
>
> There is nothing in any logfile that tells me why this thing
> just stops working so I'm thinking it may not be a daemon but
> something in the kernel.
>
> I cannot ping the interface from the internal network but tcpdump shows
> the packets being received. (Hub network firewall_type=SIMPLE ).
>
> If I logon to the console the cable modem connection is still functioning
> and I can surf from the firewall.
>
> Any ideas on where to look next ??
>
>
> Cable modem using dhcp -> 192.168 home network on
> PPro w/280 MB ram.
> Intel Pro 10/100b/100+ Ethernet This card is a PCI card with 2 interfaces.
> Standard Xuser install + Kernel sources.
>
I've been through this just recently.  Our "simple" prototype
is not production ready; if you just tune oip/iip/onet/inet,
etc., it won't allow your internal machines to talk outside.

The packet flow for a machine in ${inet}:${imask} talking outside
is as follows:

${inet}:${imask} -> some_host (in  via ${iif})
${oip}           -> some_host (out via ${oif}) (after NAT)
some_host -> ${inet}:${imask} (in  via ${oif}) (after de-NAT)
some_host -> ${inet}:${imask} (out via ${iif})

(This assumes that you NAT using ${oip}, which is not always
the case.)

So, to make it work (if default is to "deny"), you need to add
the following rules at the end of the ruleset:

${fwcmd} add pass all from ${inet}:${imask} to any in via ${iif}
${fwcmd} add pass ip from ${oip} to any out via ${oif}
${fwcmd} add pass ip from any to ${inet}:${imask}


Cheers,
--
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

On Mon 03/24/2003-09:52:32PM -0500, Scot wrote:
> 
> Any ideas on where to look next ?? 
> 
If you have access to the console of the box make sure natd is 
still running.  I have had problems with natd just plain dropping 
dead so now I run it under daemontools' supervise.

On Tue, Mar 25, 2003 at 08:33:12PM -0500, Scot wrote:
> Thanks Ruslan ;
> I'll give it a try right now.
> 
> Just want to send this out before I switch firewalls,
> assuming I might be down for an hour or so tweaking.
> 
> oip and iip are static variables in rc.firewall but
> under DHCP oip is a moving target. Is there a recommended
> way to pass these to rc.firewall so a re-edit is not needed?
I just use a perl script (below), and use its output as the value for
$oip in rc.firewall

No doubt there's a better way of doing it, and it won't deal with
changes to your IP after you've booted (I know that won't happen in my
case).

If you want to use it, then in rc.firewall put

$oip=`/usr/local/bin/myip <interface-name>`
(or whatever you call it)

and put the following in that file, changing $and chmod +x it

#!/usr/bin/perl -w
use strict;
my $if = $ARGV[0] || 'de0';

chomp (my $ifc = `ifconfig $if | grep inet | head -1`);
$ifc =~ /inet\s(\d+\.\d+\.\d+\.\d+)\s/;
print $1;

Jon