Date: Sat, 9 Dec 2000 01:02:28 +0100 From: =?iso-8859-1?Q?Rasmus_R=F8nlev?= <rasmus@ronlev.com> To: <freebsd-questions@freebsd.org> Subject: How to get ipnat/ipf up and running Message-ID: <034c01c06173$52365680$6401a8c0@home.ronlev.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0349_01C0617B.B3AFF9E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I've just recently installed FreeBSD 4.2. I've set up and configured = ipfw and natd to give me some basic NAT functionality with a little = firewalling on top of it. The real issue is, that I would like to = construct some more advanced NAT filtering. I.e. I would like to address = a lot of port requests to be forwarded to various IP's inside of the = FreeBSD box. I know there's the -redirect_port command for natd, but it = doesn't seem too flexible since I presume after hitting 256 chars, I'll = be unable to supply natd with any more rules... So, I read that there's also ipf and ipnat, which might be the more = advanced and configurable path to go. Hence this is what I would like to = set up/install. It looks to me, as if all the binaries are there (ipf, = ipstat, ipnat, etc.), but what I get when running the various programs = is this: On "ipnat" : /dev/ipnat: open: Device not configured On "ipf -E" : open device: Device not configured, and on next line: = SIOCFRENB: Bad file descriptor The bottom of this message contains some cut'n'paste from the kernel = bootup dmsg as well as the options I added to the MYKERNEL file = (following the newbie kernel compile guide, MYKERNEL is the = configuration file for it I recon :). Does anyone have some insight as to what I should do to make ipf and = ipnat work ? I recon I also need to create some devices in /dev. I'd = appreciate info on how to do that as well (as I basicly suck with /dev = entries ;). I hope you can help me, or if I posted in the wrong mailinglist redirect = me to the propper one. Regards, Rasmus (rasmus@ronlev.com) [ START: Additional information - might be usefull, might not, I dunno ] From my kernel boot, I have the following info (which I think might be = important): DUMMYNET initialized (000608) IP packet filtering initialized, divert enabled, rule-based forwarding = disabled, default to accept, logging limited to 100 packets/entry by = default I've also set up the following 'extra' info in the file MYKERNEL = (default, since I'm a FBSD newbie, for compiling a custom kernel): # Additional Parameters, Required for this particular kernel ;) options IPFIREWALL # Enable firewall code options IPFIREWALL_VERBOSE # Send filtered packets to logger options IPFIREWALL_VERBOSE_LIMIT=3D100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # Enable divert sockets options DUMMYNET # Possible traffic shaping on IPs options IPFILTER # Enable IP Filter [ END: Additional information - might be usefull, might not, I dunno ] ------=_NextPart_000_0349_01C0617B.B3AFF9E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I've just recently installed FreeBSD = 4.2. I've set=20 up and configured ipfw and natd to give me some basic NAT functionality = with a=20 little firewalling on top of it. The real issue is, that I would like to = construct some more advanced NAT filtering. I.e. I would like to address = a lot=20 of port requests to be forwarded to various IP's inside of the FreeBSD = box. I=20 know there's the -redirect_port command for natd, but it doesn't seem = too=20 flexible since I presume after hitting 256 chars, I'll be unable to = supply natd=20 with any more rules...</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>So, I read that there's also ipf and = ipnat, which=20 might be the more advanced and configurable path to go. Hence this is=20 what I would like to set up/install. It looks to me, as if all the = binaries=20 are there (ipf, ipstat, ipnat, etc.), but what I get when running the = various=20 programs is this:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>On "ipnat" : /dev/ipnat: open: Device = not=20 configured</FONT></DIV> <DIV><FONT face=3DArial size=3D2>On "ipf -E" : open device: Device not = configured,=20 and on next line: SIOCFRENB: Bad file descriptor</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The bottom of this message contains = some=20 cut'n'paste from the kernel bootup dmsg as well as the options I added = to the=20 MYKERNEL file (following the newbie kernel compile guide, MYKERNEL is = the=20 configuration file for it I recon :).</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Does anyone have some insight as to = what I should=20 do to make ipf and ipnat work ? I recon I also need to create some = devices in=20 /dev. I'd appreciate info on how to do that as well (as I basicly suck = with /dev=20 entries ;).</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I hope you can help me, or if I posted = in the wrong=20 mailinglist redirect me to the propper one.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Regards,</FONT></DIV> <DIV><FONT face=3DArial size=3D2><A = href=3D"mailto:r@smus">Rasmus</A> (<A=20 href=3D"mailto:rasmus@ronlev.com">rasmus@ronlev.com</A>)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>[ START: Additional information - might = be usefull,=20 might not, I dunno ]</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>From my kernel boot, I have the = following info=20 (which I think might be important):</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" = size=3D3>DUMMYNET=20 initialized (000608)<BR>IP packet filtering initialized, divert enabled, = rule-based forwarding disabled, default to accept, logging limited to = 100=20 packets/entry by default</FONT><BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2>I've also set up the following 'extra' = info in the=20 file MYKERNEL (default, since I'm a FBSD newbie, for compiling a custom=20 kernel):</FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" = size=3D3># Additional=20 Parameters, Required for this particular kernel ;)<BR>options IPFIREWALL = #=20 Enable firewall code<BR>options IPFIREWALL_VERBOSE # Send filtered = packets to=20 logger<BR>options IPFIREWALL_VERBOSE_LIMIT=3D100<BR>options=20 IPFIREWALL_DEFAULT_TO_ACCEPT<BR>options IPDIVERT # Enable divert=20 sockets<BR>options DUMMYNET # Possible traffic shaping on IPs<BR>options = IPFILTER # Enable IP Filter</FONT><BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2> <DIV><FONT face=3DArial size=3D2>[ END: Additional information - might = be usefull,=20 might not, I dunno ]</FONT></DIV></FONT><FONT face=3DArial=20 size=3D2></DIV></FONT></BODY></HTML> ------=_NextPart_000_0349_01C0617B.B3AFF9E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?034c01c06173$52365680$6401a8c0>