From owner-freebsd-questions  Wed Jun 13 14:24:22 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from jezebel.demon.co.uk (jezebel.demon.co.uk [158.152.38.143])
	by hub.freebsd.org (Postfix) with ESMTP id E322137B409
	for <freebsd-questions@freebsd.org>; Wed, 13 Jun 2001 14:24:15 -0700 (PDT)
	(envelope-from rdls@jezebel.demon.co.uk)
Received: (from rdls@localhost)
	by jezebel.demon.co.uk (8.11.1/8.11.1) id f5DLLIn01319;
	Wed, 13 Jun 2001 22:21:19 +0100 (BST)
	(envelope-from rdls)
Date: Wed, 13 Jun 2001 22:21:18 +0100
From: Richard Smith <rdls@rdls.net>
To: Jason Prosser <jprosser@teraglobal.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: natd/ipfw help...
Message-ID: <20010613222118.A1256@gaia.home.rdls.net>
References: <B74D2CDE.3FC%jprosser@teraglobal.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <B74D2CDE.3FC%jprosser@teraglobal.com>; from jprosser@teraglobal.com on Wed, Jun 13, 2001 at 02:44:46PM -0600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Jun 13, 2001 at 02:44:46PM -0600, Jason Prosser wrote:
> I am using 4.3-Release, and I can't seem to get natd and ipfw properly
> configured. (Yes I am a newbe... =) AND PROUD OF IT! )
> 
> I am trying to setup just a basic configuration right now for some network
> performance testing in our lab... Both networks are standalone, so above
> getting the Nat & some basic firewall rules so that all traffic is passed. I
> am not concerned about security.
> 
> The configuration that I am trying to setup is:
> 
> Network A:(Public)   <--->  NAT/Firewall    <--->   Network B:(Private)
> 
> 
> The Nat/Firewall computer has two ethernet cards xl0 & xl1.
> 
> I've trimmed down the kernel to just what I need. (Yes I did add in
> ipfirewall, ipfirewall_verbose, & ipdivert.)
> 
> In rc.conf I have: (Above basic information)
> natd -n xl1

You can't put statements like this in rc.conf. rc.conf is included into many scripts,
so the above command line might get invoked several times.

> firewall_enable="YES"
> firewall_type="UNKNOWN"

If you include `firewall_type="open"' that will allow rc.firewall to define the
ipfw rules for you.

Also add `natd_enable="YES"' and `natd_interface="xl1"' to get rc.firewall to start
natd for you.

> ifconfig_xl1="inet 10.2.0.1 netmask 255.255.255.0"
> ifconfig_xl0="inet 192.168.13.1 netmask 255.255.255.0"
> 
> Firewall rules for right now is
> ipfw -f flush
> ipfw add divert natd tcp from any to any via xl1
> ipfw add divert natd udp from any to any via xl1
> ipfw add allow ip from any to any via xl1
> ipfw add allow ip from any to any via xl0
> ipfw add allow icmp from any to any via xl0
> ipfw add allow icmp from any to any via xl1

All this is done in rc.firewall automagically.

> I figure that I am missing something stupid, but I don't know enough yet to
> figure it out... Thank you for the help ahead of time.

It should all just work now. Oh, don't forget that you need `gateway_enable="YES"'
in rc.conf also.

Rich.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message