[afnog] IPfw + natd
Mark Tinka
mtinka at africaonline.co.zw
Fri Dec 2 17:24:07 EAT 2005
On Thursday 01 December 2005 22:07, Brian Candler wrote:
> On Thu, Dec 01, 2005 at 06:40:40PM +0200, Mark Tinka
wrote:
> > DNS queries were eratic from my test client box, but
> > not from the firewall itself.
>
> In that case, the network between the client box and
> the firewall should be under suspicion.
Client box was directly connected to firewall's second NIC
with x-over UTP.
Nonetheless, I managed to find the problem - at first I
thought it was sysctl IPfw values where my dynamic IPfw
rules were exhausting the system's default limits, but it
turns out natd and advanced stateful IPfw don't
co-operate very well. So downgrading the advanced
stateful to simple stateful IPfw rules solved the problem
- external access is consistent with no intermitent
breaks.
I'm now working on advanced stateful rules that will work
with natd. A good option would be to run natd standalone,
but I'm still looking for a LAN-to-LAN solution. natd
already has a similar solution, but for PPP, though:
/etc/rc.conf
[...]
ppp_nat="YES"
[...]
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://listserv2.cfi.co.ug/pipermail/afnog/attachments/20051202/e65df29e/attachment.bin
More information about the afnog
mailing list