From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 15 08:47:01 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0F07B16A41F
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2005 08:47:01 +0000 (GMT)
	(envelope-from timh@unixtechs.org)
Received: from ms-smtp-02-eri0.ohiordc.rr.com
	(ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B36E343D48
	for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2005 08:46:57 +0000 (GMT)
	(envelope-from timh@unixtechs.org)
Received: from blackguy.unixtechs.org (cpe-24-169-236-231.twmi.res.rr.com
	[24.169.236.231])
	by ms-smtp-02-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id
	j7F8ktXV000306 for <freebsd-questions@freebsd.org>;
	Mon, 15 Aug 2005 04:46:55 -0400 (EDT)
Received: from timh by blackguy.unixtechs.org with local (Exim 4.51 (FreeBSD))
	id 1E4acQ-0000RS-T9
	for freebsd-questions@freebsd.org; Mon, 15 Aug 2005 04:46:54 -0400
Date: Mon, 15 Aug 2005 04:46:54 -0400
From: Tim Holmes <tim@unixtechs.org>
To: freebsd-questions@freebsd.org
Message-ID: <20050815084654.GA1472@blackguy.unixtechs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Sender: Tim Holmes <timh@unixtechs.org>
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: FreeBSD Gateway problems
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2005 08:47:01 -0000


For years I've used a FreeBSD as my gateway.  Well I haven't had a high
speed connection for 3 years now, and I've just gotten it back.  Since
then I've reloaded the machine from 4.3 to 5.3.  I thought I had it all
set up so when I did get connection, I could make a quick edit to my 
rc.conf and I'd be ready to go.  Well turns out I was way off.

The machine has no problems geting an IP from the cable modem, and I can
get anywhere I want from that machine directly.  (I'm currently ssh'd to
the router machine to send email, use w3m to find How-Tos)  But it won't
pass traffic from the rest of the network.

Here are the settings in my rc.conf:

gateway_enable="YES"              # Enable as Lan gateway
# firewall_enable="YES"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"
ipmon_enable="YES"
ipmon_flags="-Ds"

The firewall_enable is disable now because when it's turned on, I can't 
actually get out from directly on the machine.  At this point I just want
it to do the routing and then I can work on building a firewall afterwards.

Before I did the update and rebuilt the kernel yesterday, I had these options
in rc.conf

# ipnat_enable="YES"                # Start ipnat function
# ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat
# ipfilter_enable="YES"             # Start ipf firewall
# ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file

Well all these other How-Tos I found on FreeBSDDiary.org told me all I needed
was "gateway_enable=YES" and "firewall_enable=YES".  Also to add these two 
options to the kernel:

options IPFILTER
options IPDIVERT


But that wasn't working.  Another mentioned I needed defaultrouter="192.168.2.254",
but that's not doing it either.  It wasn't actually running nat, and I'd get errors
if I tried to start.  Here's the message I saw at boot after a new kernel.

1: unexpected keyword (any) - from
/sbin/ipf: /etc/ipf.rules: parse error (-1), quitting
/etc/rc: WARNING: NO IPNAT RULES

After following some other How-Tos I tried running ipfw, but I keep getting an error
message that won't return any helpful searches from Google.

# ipnat -f /etc/ipnat.conf 
ioctl(SIOCGNATS): Operation not permitted
# ipfw -f flush
ipfw: setsockopt(IP_FW_FLUSH): Protocol not available
# ipf -FA -f /etc/ipf.rules 
ioctl(SIOCIPFFL): Operation not permitted
# ipfw add divert natd all from any to any via xl0
ipfw: getsockopt(IP_FW_ADD): Protocol not available

None of those error messages will give me anything to go.  So I'm at a lose here.  Can
anybody point me to How-To, or share their rc.conf edits to make this work?

I know this was a little long, but thanks in advance for the help.

tdh
-- 
 ----------------+-------------------------------------------------
       \./       |     Tim Holmes  --  em@il: tim@unixtechs.org
      (0Y0)      |         UIN: 17021091  -- AIM: tdh004
 -ooO--(_)--Ooo--+-------------------------------------------------