From owner-freebsd-questions Fri Dec 8 16: 2:40 2000 From owner-freebsd-questions@FreeBSD.ORG Fri Dec 8 16:02:29 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from student.econ.cbs.dk (student.econ.cbs.dk [130.226.42.241]) by hub.freebsd.org (Postfix) with ESMTP id B551537B400 for ; Fri, 8 Dec 2000 16:02:26 -0800 (PST) Received: from golf ([212.242.55.29]) by student.econ.cbs.dk (Netscape Messaging Server 3.62) with ESMTP id 346 for ; Sat, 9 Dec 2000 01:02:25 +0100 Message-ID: <034c01c06173$52365680$6401a8c0@home.ronlev.com> From: =?iso-8859-1?Q?Rasmus_R=F8nlev?= To: Subject: How to get ipnat/ipf up and running Date: Sat, 9 Dec 2000 01:02:28 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0349_01C0617B.B3AFF9E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0349_01C0617B.B3AFF9E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I've just recently installed FreeBSD 4.2. I've set up and configured = ipfw and natd to give me some basic NAT functionality with a little = firewalling on top of it. The real issue is, that I would like to = construct some more advanced NAT filtering. I.e. I would like to address = a lot of port requests to be forwarded to various IP's inside of the = FreeBSD box. I know there's the -redirect_port command for natd, but it = doesn't seem too flexible since I presume after hitting 256 chars, I'll = be unable to supply natd with any more rules... So, I read that there's also ipf and ipnat, which might be the more = advanced and configurable path to go. Hence this is what I would like to = set up/install. It looks to me, as if all the binaries are there (ipf, = ipstat, ipnat, etc.), but what I get when running the various programs = is this: On "ipnat" : /dev/ipnat: open: Device not configured On "ipf -E" : open device: Device not configured, and on next line: = SIOCFRENB: Bad file descriptor The bottom of this message contains some cut'n'paste from the kernel = bootup dmsg as well as the options I added to the MYKERNEL file = (following the newbie kernel compile guide, MYKERNEL is the = configuration file for it I recon :). Does anyone have some insight as to what I should do to make ipf and = ipnat work ? I recon I also need to create some devices in /dev. I'd = appreciate info on how to do that as well (as I basicly suck with /dev = entries ;). I hope you can help me, or if I posted in the wrong mailinglist redirect = me to the propper one. Regards, Rasmus (rasmus@ronlev.com) [ START: Additional information - might be usefull, might not, I dunno ] From my kernel boot, I have the following info (which I think might be = important): DUMMYNET initialized (000608) IP packet filtering initialized, divert enabled, rule-based forwarding = disabled, default to accept, logging limited to 100 packets/entry by = default I've also set up the following 'extra' info in the file MYKERNEL = (default, since I'm a FBSD newbie, for compiling a custom kernel): # Additional Parameters, Required for this particular kernel ;) options IPFIREWALL # Enable firewall code options IPFIREWALL_VERBOSE # Send filtered packets to logger options IPFIREWALL_VERBOSE_LIMIT=3D100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # Enable divert sockets options DUMMYNET # Possible traffic shaping on IPs options IPFILTER # Enable IP Filter [ END: Additional information - might be usefull, might not, I dunno ] ------=_NextPart_000_0349_01C0617B.B3AFF9E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
I've just recently installed FreeBSD = 4.2. I've set=20 up and configured ipfw and natd to give me some basic NAT functionality = with a=20 little firewalling on top of it. The real issue is, that I would like to = construct some more advanced NAT filtering. I.e. I would like to address = a lot=20 of port requests to be forwarded to various IP's inside of the FreeBSD = box. I=20 know there's the -redirect_port command for natd, but it doesn't seem = too=20 flexible since I presume after hitting 256 chars, I'll be unable to = supply natd=20 with any more rules...
 
So, I read that there's also ipf and = ipnat, which=20 might be the more advanced and configurable path to go. Hence this is=20 what I would like to set up/install. It looks to me, as if all the = binaries=20 are there (ipf, ipstat, ipnat, etc.), but what I get when running the = various=20 programs is this:
 
On "ipnat" : /dev/ipnat: open: Device = not=20 configured
On "ipf -E" : open device: Device not = configured,=20 and on next line: SIOCFRENB: Bad file descriptor
 
The bottom of this message contains = some=20 cut'n'paste from the kernel bootup dmsg as well as the options I added = to the=20 MYKERNEL file (following the newbie kernel compile guide, MYKERNEL is = the=20 configuration file for it I recon :).
 
Does anyone have some insight as to = what I should=20 do to make ipf and ipnat work ? I recon I also need to create some = devices in=20 /dev. I'd appreciate info on how to do that as well (as I basicly suck = with /dev=20 entries ;).
 
I hope you can help me, or if I posted = in the wrong=20 mailinglist redirect me to the propper one.
 
Regards,
Rasmus (rasmus@ronlev.com)
 
[ START: Additional information - might = be usefull,=20 might not, I dunno ]
 
 
From my kernel boot, I have the = following info=20 (which I think might be important):
 
DUMMYNET=20 initialized (000608)
IP packet filtering initialized, divert enabled, = rule-based forwarding disabled, default to accept, logging limited to = 100=20 packets/entry by default
I've also set up the following 'extra' = info in the=20 file MYKERNEL (default, since I'm a FBSD newbie, for compiling a custom=20 kernel):
 
# Additional=20 Parameters, Required for this particular kernel ;)
options IPFIREWALL = #=20 Enable firewall code
options IPFIREWALL_VERBOSE # Send filtered = packets to=20 logger
options IPFIREWALL_VERBOSE_LIMIT=3D100
options=20 IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # Enable divert=20 sockets
options DUMMYNET # Possible traffic shaping on IPs
options = IPFILTER # Enable IP Filter
[ END: Additional information - might = be usefull,=20 might not, I dunno ]
------=_NextPart_000_0349_01C0617B.B3AFF9E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message