Please help with NAT

[JB]

In <45379258.3050505 at xxxxxxxxxxxxx>,
Eugene  <communique at xxxxxxxxxxxxx> shouted to everyone in earshot,
>/etc/natd.conf
>log yes
>log_denied yes
>interface rl0
>redirect_address 193.138.X.Z 0.0.0.0

I'm not an ipfw user, but I quick scan of the natd man page makes me
think that redirect_address isn't something you want there, at least
not with that first address.  I get the impressing that it's for
passing all incoming TCP SYNs (and probably UDP and ICMP packets) to
the named machine, but I think you want to list the address of an
internal host, not an address on your router.  You shouldn't need that
directive at all if you don't need to pass incoming connections to
internal hosts, and even if you do want to do that, you could probably
take it out until you have outbound NAT working.  I don't know for
sure that it's causing you any problems, but removing it could
simplify things in the interim.

>and tcpdump pruduces following output while brouser on a machine 
>192.168.1.16 tries to connect to internet:
>14:55:46.731888 IP 192.168.1.16.44870 > 84.252.139.237.80: S 
>2051121078:2051121078(0) win 5840 <mss 1460,sackOK,timestamp 3568779 
>0,nop,wscale 2>

Is this from interface rl0 (public) or rl1 (internal)?  If rl1, what
does rl0 see?

Did you rebuild your kernel with 'OPTIONS IPFIREWALL' and 'OPTIONS
IPDIVERT' as the natd man page suggests?  (Is that still necessary?
I'm still just reading the natd man page and don't see those options
in DFly 1.4.2 GENERIC.)

I second the recommendation for using pf, especially if you aren't
familiar with ipfw.  You won't need to rebuild your kernel, for
example.

Jeff