Date: Mon, 15 Aug 2005 02:16:39 -0700 From: Glenn Dawson <glenn@antimatter.net> To: Tim Holmes <tim@unixtechs.org>, freebsd-questions@freebsd.org Subject: Re: FreeBSD Gateway problems Message-ID: <6.1.0.6.2.20050815015449.0fb7a4b0@cobalt.antimatter.net> In-Reply-To: <20050815084654.GA1472@blackguy.unixtechs.org> References: <20050815084654.GA1472@blackguy.unixtechs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:46 AM 8/15/2005, Tim Holmes wrote: >For years I've used a FreeBSD as my gateway. Well I haven't had a high >speed connection for 3 years now, and I've just gotten it back. Since >then I've reloaded the machine from 4.3 to 5.3. I thought I had it all >set up so when I did get connection, I could make a quick edit to my >rc.conf and I'd be ready to go. Well turns out I was way off. > >The machine has no problems geting an IP from the cable modem, and I can >get anywhere I want from that machine directly. (I'm currently ssh'd to >the router machine to send email, use w3m to find How-Tos) But it won't >pass traffic from the rest of the network. > >Here are the settings in my rc.conf: > >gateway_enable="YES" # Enable as Lan gateway ># firewall_enable="YES" >natd_enable="YES" >natd_interface="xl0" >natd_flags="-f /etc/natd.conf" >ipmon_enable="YES" >ipmon_flags="-Ds" > >The firewall_enable is disable now because when it's turned on, I can't >actually get out from directly on the machine. At this point I just want >it to do the routing and then I can work on building a firewall afterwards. If you use options IPFIREWALL_DEFAULT_TO_ACCEPT that will allow you to get the other things working, and you can figure out your firewall rules once everything else works. >Before I did the update and rebuilt the kernel yesterday, I had these options >in rc.conf > ># ipnat_enable="YES" # Start ipnat function ># ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ># ipfilter_enable="YES" # Start ipf firewall ># ipfilter_rules="/etc/ipf.rules" # loads rules definition text file > >Well all these other How-Tos I found on FreeBSDDiary.org told me all I needed >was "gateway_enable=YES" and "firewall_enable=YES". Also to add these two >options to the kernel: > >options IPFILTER >options IPDIVERT To use ipfw adding these options to your kernel is a good place to start: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT If you're using natd, you'll also want: options IPDIVERT If you want to use ipnat (ipfilter) you'll want: options IPFILTER >But that wasn't working. Another mentioned I needed >defaultrouter="192.168.2.254", >but that's not doing it either. It wasn't actually running nat, and I'd >get errors >if I tried to start. Here's the message I saw at boot after a new kernel. The default router for the FreeBSD machine should be supplied by the dhcp server that give you your IP address. Also, you will need to use NAT since the cable modem probably only gives you a single IP. >1: unexpected keyword (any) - from >/sbin/ipf: /etc/ipf.rules: parse error (-1), quitting >/etc/rc: WARNING: NO IPNAT RULES > >After following some other How-Tos I tried running ipfw, but I keep >getting an error >message that won't return any helpful searches from Google. > ># ipnat -f /etc/ipnat.conf >ioctl(SIOCGNATS): Operation not permitted ># ipfw -f flush >ipfw: setsockopt(IP_FW_FLUSH): Protocol not available ># ipf -FA -f /etc/ipf.rules >ioctl(SIOCIPFFL): Operation not permitted ># ipfw add divert natd all from any to any via xl0 >ipfw: getsockopt(IP_FW_ADD): Protocol not available The errors suggest that ipfw isn't in your kernel, and likely is not loaded from a module. Is kldstat doesn't show it loaded, and you don't have OPTIONS IPFIREWALL in your kernel, that will cause errors like those. If you'd like some sample configs, contact me off list and I'll send you copies of some that I typically use as a starting point. -Glenn >None of those error messages will give me anything to go. So I'm at a >lose here. Can >anybody point me to How-To, or share their rc.conf edits to make this work? > >I know this was a little long, but thanks in advance for the help. > >tdh >-- > ----------------+------------------------------------------------- > \./ | Tim Holmes -- em@il: tim@unixtechs.org > (0Y0) | UIN: 17021091 -- AIM: tdh004 > -ooO--(_)--Ooo--+------------------------------------------------- >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.1.0.6.2.20050815015449.0fb7a4b0>