Date: Sun, 11 Mar 2012 08:55:53 +1000 From: Da Rock <freebsd-ipfw@herveybayaustralia.com.au> To: freebsd-ipfw@freebsd.org Subject: Re: newbie IPFW user Message-ID: <4F5BDBF9.4000807@herveybayaustralia.com.au> In-Reply-To: <20120311020742.G10482@sola.nimnet.asn.au> References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> <4F5B5187.2010303@herveybayaustralia.com.au> <20120311020742.G10482@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/11/12 02:28, Ian Smith wrote: > On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote: > > On 03/10/12 19:47, Julian Elischer wrote: > > > On 3/9/12 6:39 AM, Da Rock wrote: > > > > I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I > > > > believe) was using 4.3. I'm now attempting to use IPFW for some tests > > > > (and hopefully move to production), and I'm trying to determine how I > > > > would setup binat using IPFW; or even if its possible at all. > > > > > > > > I've been hunting some more in depth documentation, but it appears to be > > > > scarce/not definitive. I suspect using the modes in libalias such as "use > > > > same ports" and "reverse" might be able to do what I'm looking for? > > > > > > > > Any clarity much appreciated. > > > > > > well of course > > > man ipfw is the basis.. > > Apart from libalias(3) I found natd(8) manual still useful to flesh out > the rather terse NAT descriptions in ipfw(8); functions are mostly 1:1 > apart from more verbose (and better described) keywords than ipfw nat. Yeah, I noticed that. Thats where I picked the terms I thought fit most likely. But none of the terms sound exactly like binat, but the mix of a couple of them sounded like it might just work. > > > since you don't give any hints as to what you want to do that is not in > > > /etc/rc.firewall, > > > it is hard to know how to help you.. > > > I think that is the fundamental problem: I defined what I was doing but the > > terms are foreign, ergo the man doesn't show it either. > > Just googling 'binat freebsd' finds only (quite a few) references to pf, > and then only pf.conf(5) seems really to describe its usage. Exactly. > > Binat is defined in pf, so I used the terminology thinking it would just > > click. Apparently not :) Binat is 1:1 natting to and from a client behind a > > firewall (according to pf), so binat nats traffic from the client and from > > the external network. For all intents and purposes it appears the client is > > actually on the external network, with the added benefit that only the ports > > needed can be natted, and others can be diverted elsewhere. > > > > I'm using it for voip currently (and vpn on the same client): voip requires > > 5060 remote _and_ connection ports, and needs to be forwarded as is > > (excepting ip address) and not appear to be natted os as not to confuse the > > client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). > > So this particular box has its own unique external routable IP address, > distinct from the router's external IP? Does it also want to do regular > NAT for other than VoIP/VPN port traffic? Just trying to follow .. NP. I have only one external address (considered more, but nothing has quite convinced me as yet to part with more moula for them), and the binat only works for these services (ipsec/l2tp/vpn/voip), but essentially it appears this box is in the open - directly on the external address. However, I can still send other services (smtp/imap/www/dns) to other boxes. The firewall is also running the show with ppp as well, the modem is running 'dumb'. From other posts, I'd say static NAT could be what I'm looking for. I'll give it a shot anyway... > > Are there any sources for documentation on the advanced uses of ipfw? I > > stumbled on just one that goes into more detail so far > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. > > I vaguely recall that one from years ago. "www.freebsd-howto.com could > not be found. Please check the name and try again." tonight anyway. I said this before: what can I say? It works for me... :) I just used it tonight, so I can't say what would be going on (planets aligned, or something?).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F5BDBF9.4000807>