From owner-freebsd-stable@FreeBSD.ORG Sat May 11 00:30:25 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8F8E3148 for ; Sat, 11 May 2013 00:30:25 +0000 (UTC) (envelope-from kiri@pis.elm.toba-cmt.ac.jp) Received: from pis.elm.toba-cmt.ac.jp (pis.elm.toba-cmt.ac.jp [202.26.248.196]) by mx1.freebsd.org (Postfix) with ESMTP id 0AA346F for ; Sat, 11 May 2013 00:30:24 +0000 (UTC) Received: from kiri.pis.pis.elm.toba-cmt.ac.jp (kiri.pis [192.168.1.1] (may be forged)) by pis.elm.toba-cmt.ac.jp (8.14.5/8.14.5) with ESMTP id r4B0UFlX084168; Sat, 11 May 2013 09:30:15 +0900 (JST) (envelope-from kiri@pis.elm.toba-cmt.ac.jp) Message-Id: <201305110030.r4B0UFlX084168@pis.elm.toba-cmt.ac.jp> Date: Sat, 11 May 2013 09:30:15 +0900 From: KIRIYAMA Kazuhiko To: freebsd-stable@freebsd.org Subject: How abuot firewall_nat_rules? User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.6 MULE XEmacs/21.4 (patch 22) (Instant Classic) (amd64--freebsd) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: kiri@pis.elm.toba-cmt.ac.jp X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 May 2013 00:30:25 -0000 Hi stable list, Now ipfw_nat's rules must be write directly in firewall_nat_flags. This is messy to describe many rules. firewall_nat_rules will be treat smartly. To enable firewall_nat_rules,apply following patch to /etc/rc.firewall --- /etc/rc.firewall.org 2013-05-11 08:23:13.000000000 +0900 +++ /etc/rc.firewall 2013-05-11 08:29:11.000000000 +0900 @@ -162,6 +162,9 @@ case ${firewall_nat_enable} in [Yy][Ee][Ss]) if [ -n "${firewall_nat_interface}" ]; then + if [ -r "${firewall_nat_rules}" ]; then + firewall_nat_flags="${firewall_nat_flags} `cat ${firewall_nat_rules}`" + fi if echo "${firewall_nat_interface}" | \ grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}" and then put in /etc/rc.conf firewall_enable="YES" firewall_type="OPEN" firewall_nat_enable="YES" firewall_nat_interface="X.X.X.X" firewall_nat_flags="deny_in reset same_ports unreg_only" firewall_nat_rules="/etc/ipfw_nat.rules" where X.X.X.X is the outgoing global address and firewall_nat_rules specfies the file in which describe ipfw_nat's rules, actually ipfw arguments following to "${fwcmd} nat 123 config log" for example redirect_port tcp 192.168.1.7:2401 2401 redirect_port tcp 192.168.1.5:80 80 redirect_port tcp 192.168.1.1:22 22069 redirect_port tcp 192.168.1.2:22 22053 redirect_port tcp 192.168.1.3:22 22025 redirect_port tcp 192.168.1.4:22 22080 redirect_port tcp 192.168.1.5:22 22021 redirect_port tcp 192.168.1.6:22 22067 redirect_port tcp 192.168.1.7:22 22401 redirect_port tcp 192.168.1.8:22 22081 redirect_port tcp 192.168.1.32:9100 63189 redirect_port tcp 192.168.1.252:9100 23089 redirect_port tcp 192.168.1.254:22 22 Regards --- kiri@openedu.org