From owner-freebsd-questions Sat Dec 9 18:21:59 2000 From owner-freebsd-questions@FreeBSD.ORG Sat Dec 9 18:21:55 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id BE32D37B400 for ; Sat, 9 Dec 2000 18:21:54 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 9 Dec 2000 18:20:19 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBA2Lgw01775; Sat, 9 Dec 2000 18:21:42 -0800 (PST) (envelope-from cjc) Date: Sat, 9 Dec 2000 18:21:42 -0800 From: "Crist J. Clark" To: =?iso-8859-1?Q?Rasmus_R=F8nlev?= Cc: freebsd-questions@FreeBSD.ORG Subject: Re: How to get ipnat/ipf up and running Message-ID: <20001209182142.F96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <034c01c06173$52365680$6401a8c0@home.ronlev.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0i In-Reply-To: <034c01c06173$52365680$6401a8c0@home.ronlev.com>; from rasmus@ronlev.com on Sat, Dec 09, 2000 at 01:02:28AM +0100 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [The broken MAU you are using puts your paragraphs all on one line. Please wrap your lines at about 72 columns or so.] On Sat, Dec 09, 2000 at 01:02:28AM +0100, Rasmus Rønlev wrote: > Hi, > > I've just recently installed FreeBSD 4.2. I've set up and configured ipfw and natd to give me some basic NAT functionality with a little firewalling on top of it. The real issue is, that I would like to construct some more advanced NAT filtering. I.e. I would like to address a lot of port requests to be forwarded to various IP's inside of the FreeBSD box. I know there's the -redirect_port command for natd, but it doesn't seem too flexible since I presume after hitting 256 chars, I'll be unable to supply natd with any more rules... Well, the command line limit is a lot greater than 256 characters, but before you got to that point I would recommend using a configuration file for natd. See the -f option of natd(8). But there could still be reasons one would want to use IPFilter, so... > So, I read that there's also ipf and ipnat, which might be the more advanced and configurable path to go. Hence this is what I would like to set up/install. It looks to me, as if all the binaries are there (ipf, ipstat, ipnat, etc.), but what I get when running the various programs is this: > > On "ipnat" : /dev/ipnat: open: Device not configured > On "ipf -E" : open device: Device not configured, and on next line: SIOCFRENB: Bad file descriptor Do you have a /dev/ipnat? Probably not, which would explain the error. > The bottom of this message contains some cut'n'paste from the kernel bootup dmsg as well as the options I added to the MYKERNEL file (following the newbie kernel compile guide, MYKERNEL is the configuration file for it I recon :). > > Does anyone have some insight as to what I should do to make ipf and ipnat work ? I recon I also need to create some devices in /dev. I'd appreciate info on how to do that as well (as I basicly suck with /dev entries ;). Let's find out how to make ipnat together, % more /dev/MAKEDEV . . # Special purpose devices: . . . # ipl ipfilter control devices (ipl, ipnat, ipstate, ipauth) So, all you need to do is, # cd /dev # ./MAKEDEV ipl > I hope you can help me, or if I posted in the wrong mailinglist redirect me to the propper one. > From my kernel boot, I have the following info (which I think might be important): > > DUMMYNET initialized (000608) > IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to accept, logging limited to 100 packets/entry by default Well, ipfw is all go, but you wanted to use IPFilter? > I've also set up the following 'extra' info in the file MYKERNEL (default, since I'm a FBSD newbie, for compiling a custom kernel): > > # Additional Parameters, Required for this particular kernel ;) > options IPFIREWALL # Enable firewall code > options IPFIREWALL_VERBOSE # Send filtered packets to logger > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT # Enable divert sockets > options DUMMYNET # Possible traffic shaping on IPs That's all ipfw stuff. > options IPFILTER # Enable IP Filter That's all you need if you will just use IPFilter. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message