From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 28 05:04:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E0C016A4CE for ; Sun, 28 Mar 2004 05:04:58 -0800 (PST) Received: from viviendaatualcance.com.mx (dsl-200-78-18-163.prod-infinitum.com.mx [200.78.18.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id A75BA43D1F for ; Sun, 28 Mar 2004 05:04:55 -0800 (PST) (envelope-from eculp@viviendaatualcance.com.mx) Received: from localhost (localhost [127.0.0.1]) (uid 80) by viviendaatualcance.com.mx with local; Sun, 28 Mar 2004 07:04:54 -0600 Received: from dsl-201-129-46-8.prod-infinitum.com.mx (dsl-201-129-46-8.prod-infinitum.com.mx [201.129.46.8]) by mail.viviendaatualcance.com.mx (Horde) with HTTP for ; Sun, 28 Mar 2004 07:04:54 -0600 Message-ID: <20040328070454.3og08ss4gkgwksco@mail.viviendaatualcance.com.mx> Date: Sun, 28 Mar 2004 07:04:54 -0600 From: Edwin Culp To: whizkid@ValueDJ.com References: <1088.216.100.130.17.1080447627.squirrel@www.ValueDJ.com> In-Reply-To: <1088.216.100.130.17.1080447627.squirrel@www.ValueDJ.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-EnContacto.net: Edwin Culp celular Mexico 001 228 824 5542 WorldInternet.ORG X-WorldInternet.org: Edwin Culp Te mantiene, siempre, EnContacto. X-Mailman-Approved-At: Sun, 28 Mar 2004 05:10:20 -0800 cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD Tansparent Proxy with ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Mar 2004 13:04:58 -0000 Quoting whizkid@ValueDJ.com: > I have seen lots of pages on google on how to setup Squid as a Transparent > Proxy server on FreeBSD. However most of these refer to 4.9 stable, using > IPTables. I am currently using natd and ipfw. Here are my Firewall rules < SHORTEN A BIT > > how would I set it so all incoming packets from xl0 would get redirected > to port 8080 for the proxy server. I want to setup DansGuardian for > content filtering and I don't want the people who will be using my network > to find a way around disabling the Proxy in the browser. I would try something like the following that should be around 6001 before nating. add 6001 fwd 127.0.0.1,8080 tcp from 192.168.1.0/24 to any 80 I have a rule before the allows port 80 access for "me" to not use squid for our local intranet traffic and I have a forward rule after the above but before nating to send the squid request out through an interface that is not the default route to a second ISP that is just for squid traffic, then I nat. YMMV, good luck, ed > > Anyone have any ideas? > > Thanks for your help > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 28 15:29:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05EF716A4CE for ; Sun, 28 Mar 2004 15:29:21 -0800 (PST) Received: from viper.surf1.ws (mail.surf1.ws [66.193.109.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id BABBD43D1D for ; Sun, 28 Mar 2004 15:29:20 -0800 (PST) (envelope-from dan@tictactoe.com) Received: from Time (c-24-18-217-161.client.comcast.net [24.18.217.161]) by tictactoe.comfor ; Sun, 28 Mar 2004 15:27:28 -0800 From: "Dan" To: Date: Sun, 28 Mar 2004 15:29:44 -0800 Message-ID: <000301c4151c$92278e70$0200a8c0@surf1.ws> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: What am I doing wrong (IPFW Rulesets) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Mar 2004 23:29:21 -0000 What am I doing wrong here? Do I need to recompile my kernel with rule set support for IPFW or something? I cannot seem to get any set-related functionality to work on my system. I grabbed this from the man page for ipfw: The format of ipfw rules is the following: [rule_number] [set set_number] [prob match_probability] action [log [logamount number]] body Here is my current rule list. - which is working great, it allows me to keep track of who is using how much bandwidth from my LAN, which is kind of fun. Also, it does some basic policing of IP traffic. # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow ip from 192.168.0.7 to any 00500 allow ip from any to 192.168.0.7 00600 allow ip from any to 192.168.0.2 00700 allow ip from 192.168.0.2 to any 00800 allow ip from 192.168.0.84 to any 00900 allow ip from any to 192.168.0.84 01000 allow ip from 192.168.0.8 to any 01100 allow ip from any to 192.168.0.8 65000 allow log logamount 100 ip from 192.168.0.0/24 to any 65100 allow ip from any to 192.168.0.0/24 65200 allow ip from me to any out xmit dc0 65300 allow ip from any to me in recv dc0 65535 deny ip from any to any # ipfw add 01200 set 1 allow ip from any to any ipfw: invalid action ``set'' According to my above-pasted quotation from the IPFW man page, this should work. Why not? # ipfw disable set 1 ipfw: unrecognize enable/disable keyword: set # ipfw enable set 1 ipfw: unrecognize enable/disable keyword: set # ipfw set enable 1 ipfw: bad arguments, for usage summary ``ipfw'' # ipfw set disable 1 ipfw: bad arguments, for usage summary ``ipfw'' I have seen different places mention different ways of enabling and disabling rule sets, neither of these seem to work. What am I doing wrong here? BTW, there aren't any rules in rule set 1 right now as far as I know. I am running FreeBSD 4.9-RELEASE #0: Thu Mar 25 17:51:16 PST 2004 root@:/usr/src/sys/compile/CUSTOM I am running a custom-built kernel with both IPFW and IPFILTER options on. This machine has dual NICs and I use it for NAT. I have been reading through the IPFW mailing list and searching the open bug reports on freebsd.org and googling for hours now, so thought I'd run this by you guys. Thanks, --Dan From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 28 16:21:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D896D16A4CE for ; Sun, 28 Mar 2004 16:21:36 -0800 (PST) Received: from pc5.i.0x5.de (n.0x5.de [213.146.113.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 915A443D41 for ; Sun, 28 Mar 2004 16:21:35 -0800 (PST) (envelope-from nicolas@dauerreden.de) Received: from pc5.i.0x5.de (nicolas@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.9p2/8.12.9) with ESMTP id i2T0LWPl070149; Mon, 29 Mar 2004 02:21:32 +0200 (CEST) (envelope-from nicolas@pc5.i.0x5.de) Received: (from nicolas@localhost) by pc5.i.0x5.de (8.12.9p2/8.12.9/Submit) id i2T0LW5I070148; Mon, 29 Mar 2004 02:21:32 +0200 (CEST) (envelope-from nicolas) Date: Mon, 29 Mar 2004 02:21:32 +0200 From: Nicolas Rachinsky To: Dan Message-ID: <20040329002132.GA63579@pc5.i.0x5.de> References: <000301c4151c$92278e70$0200a8c0@surf1.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000301c4151c$92278e70$0200a8c0@surf1.ws> X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc User-Agent: Mutt/1.5.6i cc: freebsd-ipfw@freebsd.org Subject: Re: What am I doing wrong (IPFW Rulesets) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2004 00:21:37 -0000 * Dan [2004-03-28 15:29 -0800]: > What am I doing wrong here? Do I need to recompile my kernel with rule > set support for IPFW or something? I cannot seem to get any set-related > functionality to work on my system. [...] > I am running FreeBSD 4.9-RELEASE #0: Thu Mar 25 17:51:16 PST 2004 > root@:/usr/src/sys/compile/CUSTOM >From the ipfw manpage: USING IPFW2 IN FreeBSD-STABLE ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld). HTH, Nicolas From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 29 11:01:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BBD316A4CF for ; Mon, 29 Mar 2004 11:01:58 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4479043D1D for ; Mon, 29 Mar 2004 11:01:58 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i2TJ1wbv084137 for ; Mon, 29 Mar 2004 11:01:58 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2TJ1v41084131 for ipfw@freebsd.org; Mon, 29 Mar 2004 11:01:57 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Mar 2004 11:01:57 -0800 (PST) Message-Id: <200403291901.i2TJ1v41084131@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2004 19:01:58 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing o [2004/03/16] kern/64345 ipfw 4.x IPFW2 kernel memory leak (IPFW2+rote 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 30 07:57:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E70116A4CE for ; Tue, 30 Mar 2004 07:57:20 -0800 (PST) Received: from gw-lnkcore7-mil.unap.ro (unknown [82.76.34.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1EC443D5E for ; Tue, 30 Mar 2004 07:57:13 -0800 (PST) (envelope-from idan@unap.ro) Received: from pccore (home-33140.b.astral.ro [213.164.225.116]) iBRHuLok004491 for ; Mon, 27 Dec 2004 17:56:21 GMT (envelope-from idan@unap.ro) Message-ID: <001d01c4166f$aa3f1ba0$74e1a4d5@pccore> From: "UNAp" To: Date: Tue, 30 Mar 2004 18:57:12 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: NAT for one, or more IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 15:57:20 -0000 Hello I want to NAT one, or more IP from this "generic" class, using ipfw & = natd: subnet 100.10.10.0/26 100.10.10.50=20 100.10.10.51=20 Any tips? Thx From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 30 12:59:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 165A916A4CE for ; Tue, 30 Mar 2004 12:59:09 -0800 (PST) Received: from parati.mdbrasil.com.br (parati.mdbrasil.com.br [200.210.70.4]) by mx1.FreeBSD.org (Postfix) with SMTP id D591C43D31 for ; Tue, 30 Mar 2004 12:59:07 -0800 (PST) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 15212 invoked by uid 1014); 30 Mar 2004 20:59:33 -0000 Received: from eksffa@freebsdbrasil.com.br by parati.mdbrasil.com.br by uid 82 with qmail-scanner-1.20 Clear:RC:1(200.251.184.194):. Processed in 0.103477 secs); 30 Mar 2004 20:59:33 -0000 Received: from unknown (HELO freebsdbrasil.com.br) (200.251.184.194) by parati.mdbrasil.com.br with SMTP; 30 Mar 2004 17:59:32 -0300 Message-ID: <4069DF8E.1000002@freebsdbrasil.com.br> Date: Tue, 30 Mar 2004 17:58:54 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030524 X-Accept-Language: en-us, en MIME-Version: 1.0 To: UNAp References: <001d01c4166f$aa3f1ba0$74e1a4d5@pccore> In-Reply-To: <001d01c4166f$aa3f1ba0$74e1a4d5@pccore> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org Subject: Re: NAT for one, or more IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 20:59:09 -0000 Divert the incoming packets from your network to the registered IP you want to translate your unregistered network to, and on the other hand, divert the outgoing packets from your network to any destination (or non-public one, say the internet). 01200 69 30884 divert 8668 ip from any to 200.40.30.77 in 01300 81718 15592449 divert 8668 ip from 192.168.2.0/28 to any out You may create this kind of rules for both, network and hosts, or even a set of hosts/networks (say, with an or-block); You may even FWD packets in such a way where ipfw would act like a "next-hop" router, and set up policy-routing based on source/destination and services (ports). Here, we have some set of rules that [skip] 00300 6116 7935516 divert 8668 ip from any to 200.30.40.67 in 00400 21832 20430068 divert 8668 ip from any to 200.30.40.68 in 00500 20382 20217368 divert 8668 ip from any to 200.30.40.69 in [skip] 01300 81718 15592449 divert 8668 ip from 192.168.2.0/28 to any out 01400 3959 258874 fwd 200.30.40.65 ip from 200.30.40.67 to any 01500 20052 6124430 fwd 200.30.40.65 ip from 200.30.40.68 to any 01600 18071 2967705 fwd 200.30.40.65 ip from 200.30.40.69 to any [skip] 02300 62364 7935516 divert 8669 ip from any to 200.30.40.195 in 02400 97345 20430068 divert 8669 ip from any to 200.30.40.196 in 02500 75345 20217368 divert 8669 ip from any to 200.30.40.197 in [skip] 03300 817181 15592449 divert 8669 ip from 10.0.2.0/24 to any out 03400 3793 258874 fwd 200.30.40.193 ip from 200.30.40.195 to any 03500 88034 6124430 fwd 200.30.40.193 ip from 200.30.40.196 to any 03600 9635 2967705 fwd 200.30.40.193 ip from 200.30.40.197 to any [skip] In this specific case it is a multi-homed scenario where each unregister network goes out on different links (gateways) and the default flow goes, obviously, by the default gateway on the system (in this case, they are not unregistered networks, but a third registered network). Nat in this scenario is STATIC (that is why the rules are translated to many different IPs), say: # $ natd2.conf $ Patrick Tracanelli # patrick@freebsdbrasil.com.br # interface fxp0 same_ports yes use_sockets yes punch_fw 00001:99 log_ipfw_denied yes redirect_address 192.168.2.2 200.30.40.67 redirect_address 192.168.2.3 200.30.40.68 redirect_address 192.168.2.4 200.30.40.69 ... [skip] There are 2 natd instances, running on port 8669 and the default one (8668); everything else goes via the default route (the third link) There are other simple examples that may fit your needs better, you might take a look at the following thread: http://www4.fugspbr.org/lista/html/FUG-BR/2004-03/msg00149.html Althought it's in portuguese, the rules are there; -- Atenciosamente, Patrick Tracanelli FreeBSD Brasil LTDA. The FreeBSD pt_BR Documentation Project http://www.freebsdbrasil.com.br patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 30 21:22:33 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 569DF16A4CE for ; Tue, 30 Mar 2004 21:22:33 -0800 (PST) Received: from relay1.hotbox.ru (relay1.hotbox.ru [194.186.36.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CE2543D54 for ; Tue, 30 Mar 2004 21:22:32 -0800 (PST) (envelope-from flux@hotbox.ru) Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50]) by relay1.hotbox.ru (8.12.2/8.12.11) with ESMTP id i2V5spWr074414 for ; Wed, 31 Mar 2004 09:54:52 +0400 (MSD) Received: from kulikov (kulikov.nts.nnov.ru [194.84.212.3]) (authenticated bits=0) by smtp.hotbox.ru (8.12.9/8.12.9) with ESMTP id i2V5HPPw033078 for ; Wed, 31 Mar 2004 09:17:32 +0400 (MSD) (envelope-from flux@hotbox.ru) Date: Wed, 31 Mar 2004 09:22:11 +0400 From: flux X-Priority: 3 (Normal) Message-ID: <454891624.20040331092211@hotbox.ru> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: alias_address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: flux List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 05:22:33 -0000 Hi, I know there's an option for natd daemon called alias_address. As far as I know, this is the field of IP header of the IP package transmitted to external network. Is there any possible attack by defining this option as 192.168.... etc. I mean, if I define alias_address as 192.168..., for instance... Will this package go out the gateway with natd running and with 192.168.... -- Best regards, flux mailto:flux@hotbox.ru From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 1 23:17:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1250216A4CE for ; Thu, 1 Apr 2004 23:17:14 -0800 (PST) Received: from t1.etype.net (relay1.koenig.su [195.135.213.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B4D643D1D for ; Thu, 1 Apr 2004 23:17:11 -0800 (PST) (envelope-from Igor@Garant.Koenig.RU) Received: by t1.etype.net (Postfix, from userid 83) id 4E4C34504C8; Fri, 2 Apr 2004 10:17:09 +0300 (EEST) Received: from unix.garant.koenig.ru (unknown [195.135.212.116]) by t1.etype.net (Postfix) with ESMTP id CB2E5450255 for ; Fri, 2 Apr 2004 10:17:05 +0300 (EEST) Received: (qmail 4746 invoked from network); 2 Apr 2004 07:10:38 -0000 Received: from ns.garant.koenig.ru (HELO garant.koenig.ru) (100.100.100.41) by 0 with SMTP; 2 Apr 2004 07:10:38 -0000 From: Igor Popov Organization: LVS To: freebsd-ipfw@freebsd.org Date: Fri, 2 Apr 2004 10:10:32 +0300 User-Agent: KMail/1.6 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_tHRbATzI7lYQYEN"; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200404021010.38113.Igor@Garant.Koenig.RU> Subject: natd and tun X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2004 07:17:14 -0000 --Boundary-02=_tHRbATzI7lYQYEN Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi,=20 I have a question: would be natd work with tun device? I had already asked= =20 this question when FreeBSD 5.2 were released Someone have answered to me that I should use ppp builtin nat, because dive= rt=20 sockets doesn't work with tun. Simple rules like this divert all from any to any via tun0 allow all from any to any did not work. Now I use ipfilter, but I prefer to use ipfw, it is more usab= le=20 on FreeBSD. Also there is OpenBSD' pf, but it is hard to use with dynamical= ly=20 created interfaces. =2D-=20 "I wish there was a knob on the TV to turn up the intelligence. There's a knob called `brightness', but it doesn't work." -- Gallagher --Boundary-02=_tHRbATzI7lYQYEN Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.4 (FreeBSD) iQEVAwUAQG0R7YE3+5OFEFEBAQGJRQf5AfnzBDEqnuIZqqZT+Rxb+pW4Yyb/UI5z JqXKxYM4dip5MPuTS4L8STHFTI2jfn4dBDlmoF57yZ28g/82asxJmxxG9iYHngic cTD+8Bd9zjpfqP/ELcX0VcaQKXCDxBm2o05WK9yPVYDuQ/qiVHU0/by61Ol3rnB8 Uf0vp2n8+QKtM/GWacprT/8sq8w6KfvBpHFP/veypbbpXB36gig9hx2nQCJjSsAH KvotosMKCV/b8Q4wY5gfnvLJZXINB02mTTB1+JHsGFJA6/uVvthoNdY8tQTVkZyh lEbH9ih0d94iR6BrKEPBZa59YI4unudhiFCWEKlppq3vVkvWgBcVuQ== =xf/5 -----END PGP MESSAGE----- --Boundary-02=_tHRbATzI7lYQYEN-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 1 23:37:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8C6916A4CE for ; Thu, 1 Apr 2004 23:37:05 -0800 (PST) Received: from flock1.newmail.ru (morda.newmail.ru [212.48.140.150]) by mx1.FreeBSD.org (Postfix) with SMTP id B018243D2D for ; Thu, 1 Apr 2004 23:37:04 -0800 (PST) (envelope-from igorpopov@newmail.ru) Received: (qmail 26182 invoked by alias); 2 Apr 2004 07:33:38 -0000 Message-ID: <20040402073338.26179.qmail@flock1.newmail.ru> From: =?koi8-r?B?8M/Qz9cg6cfP0tgg7snLz8zBxdfJ3iA=?= To: freebsd-ipfw@freebsd.org X-Priority: 3 MIME-Version: 1.0 X-Mailer: DenMail v1.0 by ORC X-Uid: 612795 X-RemoteIP: 193.124.6.3 (192.168.0.1, unknown) Date: Fri, 02 Apr 2004 11:33:37 +0400 Content-type: text/plain; charset="koi8-r" Subject: natd and tun X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2004 07:37:06 -0000         Hi, I have a question: would be natd work with tun device? I had already asked this question when FreeBSD 5.2 were released Someone have answered to me that I should use ppp builtin nat, because divert sockets doesn't work with tun. Simple rules like this         divert all from any to any via tun0         allow all from any to any did not work. Now I use ipfilter, but I prefer to use ipfw, it is more usable on FreeBSD. Also there is OpenBSD' pf, but it is hard to use with dynamically created interfaces. -- "I wish there was a knob on the TV to turn up the intelligence. There's a knob called `brightness', but it doesn't work."                 -- Gallagher __________ www.newmail.ru -- ÂÅÓÐÌÁÔÎÁÑ ÐÏÞÔÁ, ÂÅÓÐÌÁÔÎÙÊ ÈÏÓÔÉÎÇ. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 2 09:51:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27DD116A4CE for ; Fri, 2 Apr 2004 09:51:44 -0800 (PST) Received: from chuck.bsdjpp.ath.cx (ca-sqy-11-201.w80-8.abo.wanadoo.fr [80.8.64.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FCAC43D49 for ; Fri, 2 Apr 2004 09:51:43 -0800 (PST) (envelope-from jpparisy@teaser.fr) Received: from jean-pierre (jean-pierre [192.168.249.252]) by chuck.bsdjpp.ath.cx (8.12.9p2/8.12.9) with SMTP id i32Hpeud071280; Fri, 2 Apr 2004 19:51:41 +0200 (CEST) (envelope-from jpparisy@teaser.fr) Message-Id: <200404021751.i32Hpeud071280@chuck.bsdjpp.ath.cx> From: Jean-Pierre PARISY To: Date: Fri, 02 Apr 2004 19:51:40 +0200 References: <20040402073338.26179.qmail@flock1.newmail.ru> In-Reply-To: <20040402073338.26179.qmail@flock1.newmail.ru> X-Mailer: Forte Agent 2.0/32.646 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: natd and tun X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2004 17:51:44 -0000 On Fri, 02 Apr 2004 11:33:37 +0400, ????? ????? ?????????? wrote: > Hi, > I have a question: would be natd work with tun device? I had already asked > this question when FreeBSD 5.2 were released > Someone have answered to me that I should use ppp builtin nat, because divert > sockets doesn't work with tun. Simple rules like this > divert all from any to any via tun0 > allow all from any to any > did not work. I'm sure that this works: # Divert all packets through the tunnel interface. /sbin/ipfw add 100 divert natd all from any to any via tun0 -- There's no Kabal. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 2 11:30:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 561A716A4CF for ; Fri, 2 Apr 2004 11:30:38 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 200D543D2D for ; Fri, 2 Apr 2004 11:30:38 -0800 (PST) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1B9UNB-0002jf-00; Fri, 02 Apr 2004 21:30:37 +0200 Received: from [217.83.8.90] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1B9UNA-00022t-00; Fri, 02 Apr 2004 21:30:37 +0200 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Fri, 2 Apr 2004 21:31:19 +0000 User-Agent: KMail/1.6.1 References: <20040402073338.26179.qmail@flock1.newmail.ru> <200404021751.i32Hpeud071280@chuck.bsdjpp.ath.cx> In-Reply-To: <200404021751.i32Hpeud071280@chuck.bsdjpp.ath.cx> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200404022131.21654.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 cc: igorpopov@newmail.ru Subject: Re: natd and tun X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2004 19:30:38 -0000 On Friday 02 April 2004 17:51, Jean-Pierre PARISY wrote: > On Fri, 02 Apr 2004 11:33:37 +0400, ????? ????? ?????????? wrote: > > Hi, > > I have a question: would be natd work with tun device? I had already > > asked this question when FreeBSD 5.2 were released > > Someone have answered to me that I should use ppp builtin nat, because > > divert sockets doesn't work with tun. Simple rules like this > > divert all from any to any via tun0 > > allow all from any to any > > did not work. > > I'm sure that this works: > > # Divert all packets through the tunnel interface. > /sbin/ipfw add 100 divert natd all from any to any via tun0 Note that libalias was broken for a short time. See: Message-Id: <200404021757.i32Hvv6R058197@repoman.freebsd.org> or http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libalias/alias.c#rev1.42 -- Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet