Re: ipfw-natd: connecting internal network to the Internet

From: +Alan Hicks+ (alan_at_lizella.netWORK)
Date: 08/30/04 

Date: 30 Aug 2004 09:55:20 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the future, it's helpful to take a lot of those comments out and
just do something like "ipfw list" to show your rules.

In comp.unix.bsd.freebsd.misc, Richard K dared to utter,
> i have been working on getting my ipfw rules fixed so that my internal
> machines on the network can connect to the Internet. In doing so, I
> have my machines able to connect to the Internet, let say
> www.google.com and do search, which works as expected. When I click on
> a link, groups.google.com, I get a connection refused. I cannot
> determine by my ruleset what is preventing me from functionality.

This almost always is a DNS issue. What error message do you receive?
What specifically will it not do?

> Here's my ipfw ruleset. Please let me know whether there is anything
> else that I can provide that will assist.

Yes. Do something like tcpdump or snort and log the packets being
exchanged when you attempt to browse the web. snort has a switch that
will convert your ip addresses to all x's for your privacy.

> Your assistance is greatly appreciated. If there is something I need
> to take out or add to get this to work; I don't understand why this is
> happening.

> #################################################
> ## DNS
> #
> # ${fwcmd} add 4040 allow udp from any to ${exip} 53 in via ${exif}
> keep-state

I'm not entirely sure either. That rule should be enough to pass DNS,
unless you're getting DNS replies that are TCP packets. Sometimes it's
best to run a caching DNS server on your NAT router for this sort of
thing. Do a snort or tcpdump and get back with us.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBMz+WlKR45I6cfKARAh+LAJwPjUFR5pY0qknOfUl90fbSBzzlpgCgkr+q
PLo5dg9v4l68gyovlr1RP4M=
=aw7x
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... Both NICs should point to his internal IP for DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... Both NICs should point to his internal IP for DNS. ... You should give your SBS a fixed external address so you can forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: How do my server 2003 (DNS) know the Internet?
    ... The Multihomed function is not for Internet access. ... has an ip of 156.40.10.10 for that network. ... It is due to a number of reasons, mainly DNS registration of both NICs, whereas you do not want that. ... It's highly recommended to single home all DCs and use a non-DC for the multihoming purposes. ...
    (microsoft.public.windows.server.dns)
  • Re: Non-domain connection problem
    ... For some reason the DNS is persistent. ... connect new PC to the internet from the non-domain network: ... In server 2000 gpoedit.msc showed them but in SBS it is different. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to use sub-domain
    ... The administrator maintains entirely separate DNS implementations (no zone ... server, or VPN server) must also be changed manually in the internal AD/DNS ... Company users accessing the network from the Internet ...
    (microsoft.public.windows.server.general)