Date: Sat, 9 Dec 2000 01:02:28 +0100 From: =?iso-8859-1?Q?Rasmus_R=F8nlev?= <rasmus@ronlev.com> To: <freebsd-questions@freebsd.org> Subject: How to get ipnat/ipf up and running Message-ID: <034c01c06173$52365680$6401a8c0@home.ronlev.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi, I've just recently installed FreeBSD 4.2. I've set up and configured ipfw and natd to give me some basic NAT functionality with a little firewalling on top of it. The real issue is, that I would like to construct some more advanced NAT filtering. I.e. I would like to address a lot of port requests to be forwarded to various IP's inside of the FreeBSD box. I know there's the -redirect_port command for natd, but it doesn't seem too flexible since I presume after hitting 256 chars, I'll be unable to supply natd with any more rules... So, I read that there's also ipf and ipnat, which might be the more advanced and configurable path to go. Hence this is what I would like to set up/install. It looks to me, as if all the binaries are there (ipf, ipstat, ipnat, etc.), but what I get when running the various programs is this: On "ipnat" : /dev/ipnat: open: Device not configured On "ipf -E" : open device: Device not configured, and on next line: SIOCFRENB: Bad file descriptor The bottom of this message contains some cut'n'paste from the kernel bootup dmsg as well as the options I added to the MYKERNEL file (following the newbie kernel compile guide, MYKERNEL is the configuration file for it I recon :). Does anyone have some insight as to what I should do to make ipf and ipnat work ? I recon I also need to create some devices in /dev. I'd appreciate info on how to do that as well (as I basicly suck with /dev entries ;). I hope you can help me, or if I posted in the wrong mailinglist redirect me to the propper one. Regards, Rasmus (rasmus@ronlev.com) [ START: Additional information - might be usefull, might not, I dunno ] From my kernel boot, I have the following info (which I think might be important): DUMMYNET initialized (000608) IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to accept, logging limited to 100 packets/entry by default I've also set up the following 'extra' info in the file MYKERNEL (default, since I'm a FBSD newbie, for compiling a custom kernel): # Additional Parameters, Required for this particular kernel ;) options IPFIREWALL # Enable firewall code options IPFIREWALL_VERBOSE # Send filtered packets to logger options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # Enable divert sockets options DUMMYNET # Possible traffic shaping on IPs options IPFILTER # Enable IP Filter [ END: Additional information - might be usefull, might not, I dunno ] [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>Hi,</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I've just recently installed FreeBSD 4.2. I've set up and configured ipfw and natd to give me some basic NAT functionality with a little firewalling on top of it. The real issue is, that I would like to construct some more advanced NAT filtering. I.e. I would like to address a lot of port requests to be forwarded to various IP's inside of the FreeBSD box. I know there's the -redirect_port command for natd, but it doesn't seem too flexible since I presume after hitting 256 chars, I'll be unable to supply natd with any more rules...</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>So, I read that there's also ipf and ipnat, which might be the more advanced and configurable path to go. Hence this is what I would like to set up/install. It looks to me, as if all the binaries are there (ipf, ipstat, ipnat, etc.), but what I get when running the various programs is this:</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>On "ipnat" : /dev/ipnat: open: Device not configured</FONT></DIV> <DIV><FONT face=Arial size=2>On "ipf -E" : open device: Device not configured, and on next line: SIOCFRENB: Bad file descriptor</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>The bottom of this message contains some cut'n'paste from the kernel bootup dmsg as well as the options I added to the MYKERNEL file (following the newbie kernel compile guide, MYKERNEL is the configuration file for it I recon :).</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Does anyone have some insight as to what I should do to make ipf and ipnat work ? I recon I also need to create some devices in /dev. I'd appreciate info on how to do that as well (as I basicly suck with /dev entries ;).</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I hope you can help me, or if I posted in the wrong mailinglist redirect me to the propper one.</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Regards,</FONT></DIV> <DIV><FONT face=Arial size=2><A href="mailto:r@smus">Rasmus</A> (<A href="mailto:rasmus@ronlev.com">rasmus@ronlev.com</A>)</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>[ START: Additional information - might be usefull, might not, I dunno ]</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>From my kernel boot, I have the following info (which I think might be important):</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>DUMMYNET initialized (000608)<BR>IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to accept, logging limited to 100 packets/entry by default</FONT><BR></FONT></DIV> <DIV><FONT face=Arial size=2>I've also set up the following 'extra' info in the file MYKERNEL (default, since I'm a FBSD newbie, for compiling a custom kernel):</FONT></DIV> <DIV><FONT face=Arial size=2><FONT face=Arial size=2></FONT></FONT> </DIV> <DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3># Additional Parameters, Required for this particular kernel ;)<BR>options IPFIREWALL # Enable firewall code<BR>options IPFIREWALL_VERBOSE # Send filtered packets to logger<BR>options IPFIREWALL_VERBOSE_LIMIT=100<BR>options IPFIREWALL_DEFAULT_TO_ACCEPT<BR>options IPDIVERT # Enable divert sockets<BR>options DUMMYNET # Possible traffic shaping on IPs<BR>options IPFILTER # Enable IP Filter</FONT><BR></FONT></DIV> <DIV><FONT face=Arial size=2> <DIV><FONT face=Arial size=2>[ END: Additional information - might be usefull, might not, I dunno ]</FONT></DIV></FONT><FONT face=Arial size=2></DIV></FONT></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?034c01c06173$52365680$6401a8c0>