Date: Sun, 28 Jun 2009 22:56:58 -0400 From: "Systems Engineering Group" <mailinglistmember@mgwigglesworth.net> To: freebsd-ipfw@freebsd.org Subject: Re: Any *Working* Examples of kernel-based (IPFW2-based) NAT onFreeBSD 7.1-STABLE? Message-ID: <1246244218.8710.237.camel@localhost> References: <20090626085530.GA2623@heitec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't know why you are attempting to be so "eligant" which is a smart-guy way of saying making something more complex by leaving out certain things that are still relivant, but "messy" as an experienced person would see it) if you are new to the methods. First, you need to make sure that natd is doing its job, by making sure that you have natd turned on, and that it is using the correct interface. Second, when you have verified that the natd configuration is accurate, and usable, the kernel needs to be verified to have the correct options, and that the ipfw rules, setup. You only need divert, and ipfirewall, with ipfirewall_verbose if you want logging. With these kernel options in place, you need to compile and install the kernel correlative to these installed kernel options for the firewalling functionality, with divertion to work. Given these aspects of the system are installed, then you only need to place a natd divert rule into the script for your ipfw-centric firewall. An example would be to start natd with the following included in either commandline options, or config file referenced at commandline call to natd (natd -f /path/to/natd/config) at the commandline, or requisite init script: natd -i $divert_iface -d This should start natd with the -i switch giving indication to natd what device is used to be translated (from/to). After verfication of initialization of the natd daemon via `sockstat | grep natd` you should then test divert rules within your ipfw script, or via dynamic rules that you sent at commandline. The simplest way to test the operation of the divert rules is to do the following. ipfw add 100 pass log tcp from any to any in via $divert_iface #The traffic coming into the external ip addresss will be "diverted" to the internal network ip range. ipfw add 200 divert natd ip from any to any in via $divert_iface ## #Rules 201-499 will be used to filter on the internal addresses after being mangled by the kernel. #They will now look like they are going to #the internal address, not the external ip address, so internal-ip-based #rules will be affective at this time. ## #This rule will divert traffic going from the internal network to the external network ipfw add 500 divert natd ip from any to any out via $divert_iface This is a very brief view of an example that works with freebsd. I would stay away from the complex "elegant" solutions that you referenced in your original post, on or about June 14th, until you verify that your solution is working properly. Check out the handbook, and the information on firewalling on onlamp.org and the freebsd handbook. I am just doing a datadump of my own experience right now, so if you have any further questions, then just post them and we can take a look. The setup is not very difficult, once you have the basics down. I have about thirty rules in my script, but about 20 of them have to do with filtering different stuff, which is merely skipto to a deletion rule with logging. ipfw and natd are not very difficult to use, however, that simplicity is also what makes it such a powerful network appliance solution. I have heard the ipnat + netfilter is supposedly more powerful solution, because ipnat does certain things better than natd, however, that is something for further exploration, and I have not had a need to do so, as of yet. I hope this assists your in your setup endeavor. Respectfully, Martes -- Systems Engineering Group <mailinglistmember@mgwigglesworth.net> M. G. Wigglesworth Holdings, LLC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1246244218.8710.237.camel>