AW: natd wir beim Hochfahren nicht gestartet

From: Markus Moravec <markus.moravec(at)w00t.at>
Date: Tue, 16 Mar 2004 16:11:37 -0800

Setz den gateway :

#################### rc.conf Anfang##################

gateway_enable="YES" # ohne dem wirds nicht ganz gehen ;)

# nat/pat

natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="tun0" # Public interface or IPaddress to use.
#natd_flags="" # Additional flags for natd.

# Firewall

firewall_enable="YES"
firewall_type="simple"
firewall_script="/etc/rc.firewall"

# User ppp configuration.
ppp_enable="YES" # Start user-ppp (or NO).
ppp_mode="ddial" # Choice of "auto", "ddial", "direct" or
"dedicated".
                        # For details see man page for ppp(8). Default is
auto.
ppp_nat="NO" # Use PPP's internal network address translation or
NO.
ppp_profile="tolspeed" # Which profile to use from /etc/ppp/ppp.conf.
ppp_user="root" # Which user to run ppp as
# User ppp configuration.
####################### rc.conf ENDE #############################
-----Ursprüngliche Nachricht-----
Von: owner-de-bsd-questions(at)de.FreeBSD.org
[mailto:owner-de-bsd-questions(at)de.FreeBSD.org]Im Auftrag von C. Kukulies
Gesendet: Tuesday, March 16, 2004 6:16 AM
An: de-bsd-questions(at)de.freebsd.org
Betreff: natd wir beim Hochfahren nicht gestartet

FreeBSD 5.2 - ein aelteres -current. Moeglicherweise sind meine /etc/rc
skripte nicht ganz synchron aber ich kann im Moment nicht rausfinden,
warum mein natd nicht loslaeuft beim Hochfahren.

Habe in /etc/rc.conf:

natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="tun0" # Public interface or IPaddress to use.

und muß immer natd nach dem Hochfahren manuell starten.

Das ist natürlich blöd, wenn ich außer Haus bin und an den firewall rules
bastle.

Ein anderes Problem, das ich noch habe, ist nämlich, daß DNS im
Hausnetz:

TDSL------{tun0}--[GW]---{ed0}--192.168.0.1------------------{Hausnetz}
                   | z.B. 192.168.0.3 (B)
                192.168.254.1
                   |
                 {wi0}

               Wireless LAN

                Notebook (A)
               192.168.254.2

nicht funktioniert.

Vor kurzem hatte ich nur ppp -nat laufen und ich konnte vom Notebook
direkt ins Internet (vermöge ppp -nat).

Nun möchte ich auf dem Draht im Haus und im WLAN nat haben und habe
deshalb die -nat option im ppp abgeschaltet.

Ich stelle default route 192.168.0.1 auf den Rechnern A und B ein
und kann ping 66.102.11.99 machen.

ping www.google.de geht aber nicht. D.h. DNS requests scheinen nicht
durchzugehen.

Was ist falsch?
rc.conf auf gateway:

natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="tun0" # Public interface or IPaddress to use.
#natd_flags="" # Additional flags for natd.

firewall_enable="YES"
firewall_type="simple"
firewall_script="/etc/rc.firewall"

# User ppp configuration.
ppp_enable="YES" # Start user-ppp (or NO).
ppp_mode="ddial" # Choice of "auto", "ddial", "direct" or
"dedicated".
                        # For details see man page for ppp(8). Default is
auto.
ppp_nat="NO" # Use PPP's internal network address translation or
NO.
ppp_profile="tolspeed" # Which profile to use from /etc/ppp/ppp.conf.
ppp_user="root" # Which user to run ppp as
# User ppp configuration.

/etc/rc.firewall:

[Ss][Ii][Mm][Pp][Ll][Ee])
        ############
        # This is a prototype setup for a simple firewall. Configure this
        # machine as a DNS and NTP server, and point all the machines
        # on the inside at this machine for those services.
        ############

        # set these to your outside interface network and netmask and ip
        oif="tun0"
        onet=" 213.146.112.0"
        omask="255.255.255.0"
        oip=" 213.146.112.180"
 # set these to your inside interface network and netmask and ip
        iif="ed0"
        inet="192.168.0.0"
        imask="255.255.255.0"
        iip="192.168.0.1"

        wiif="wi0"
        winet="192.168.254.0"
        wimask="255.255.255.0"
        wiip="192.168.254.1"
        setup_loopback

        # Stop spoofing
        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
    # set these to your inside interface network and netmask and ip
        iif="ed0"
        inet="192.168.0.0"
        imask="255.255.255.0"
        iip="192.168.0.1"

        wiif="wi0"
        winet="192.168.254.0"
        wimask="255.255.255.0"
        wiip="192.168.254.1"
        setup_loopback

        # Stop spoofing
        ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
        ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
        ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
   # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
        # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
E)
        # on the outside interface
        ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
        ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
        ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
        ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
        ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

        # Network Address Translation. This rule is placed here
deliberately
        # so that it does not interfere with the surrounding
address-checking
        # rules. If for example one of your internal LAN machines had its
IP
        # address set to 192.0.2.1 then an incoming packet for it after
being
        # translated by natd(8) would match the `deny' rule above.
Similarly
        # an outgoing packet originated from it before being translated
would
        # match the `deny' rule below.
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd all from any to any via
${natd_interface}
                fi
                ;;
        esac

---
Fehlt da noch was?
Gruß
--
Chris Christoph P. U. Kukulies kuku_at_physik.rwth-aachen.de
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Tue 16 Mar 2004 - 16:12:35 CET

search this site