Date: Sat, 13 May 2006 06:25:29 +0300 From: "Kobus de Wit" <kobus@cits.com.na> To: "Brian Candler" <B.Candler@pobox.com> Cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD as Server Message-ID: <00e901c6763c$e46c5ca0$0b64400a@custompc1> References: <375DD163B075E34EA3C10A6286E34A54C1D4B5@exhsto1.se.dataphone.com><43C7A18D.8060904@centtech.com> <43C7B008.8060404@matrixhome.net><20060114131427.GA5349@uk.tiscali.com><43C9204A.1020401@matrixhome.net> <20060114203823.GA56577@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Everyone,
Based on the communication below I went ahead and activated pf.conf,
which work (NAT) fine.
Before I pose my questions, here is an extract of my server config:-
- FreeBSD 6.0 server with 2 network cards (1 Public IP and 1
Internal IP)
- pf.conf setup for 4 internal networks and to NAT (which works
fine)
- rc.conf (gateway_enable="YES"
inetd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
kern_securelevel="3"
kern_securelevel_enable="YES") [ some of the
entries in rc.conf (also some static_routes in there)]
I have an email (EXIM mail) server in one of the internal networks
and will have more shortly. The external public IP address of the mail
server is on the same subnet as my FreeBSD server. I'm unsuccessfully
trying to, within pf.conf (rdr), to forward traffic destined for the
mail server to the mail server. My rdr entry within pf.conf is as
follows:-
rdr on $ext_if proto tcp from any to $external_addr/32 port 25 ->
10.64.101.4 port 25. ($external_addr is defined earlier on in pf.conf.)
Am I missing some entries?
Should I get my network provider to route traffic for the mail server
to my FreeBSD server's IP address?
I was hoping that my FreeBSD server would pick up traffic destined
for the mail server (seeing that it is defined as such in the pf.conf
file and on the same subnet) and forward it.
Regards
Kobus
----- Original Message -----
From: "Brian Candler" <B.Candler@pobox.com>
To: "Alexander" <shulik_freebsd@matrixhome.net>
Cc: <freebsd-isp@freebsd.org>
Sent: Saturday, January 14, 2006 11:38 PM
Subject: Re: FreeBSD as Server
> On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote:
>> I think, that ipfw is native for FreeBSD - it works better than other
>> packet filters. Am I right?
>
> Not really. For NAT in particular, ipfw is pretty awful. You need an
> external daemon (natd) and have to route packets to and from it, which
> works
> fine if you have a very simple configuration (e.g. single external
> interface, basic NAT-everything-going-out or NAT all RFC1918 address
> space).
> More complex scenarios can be an utter nightmare to configure
> properly.
>
> It also has a long history, which means that the configuration syntax
> isn't
> always very clean because of backwards compatibility requirements.
>
>> When traffic that not be NATed in ng_nat was sent in hook "in" - it
>> must
>> simply out from it? Or no? Where is trouble?
>
> I can't answer that. All I can say is, if you want NAT there is a very
> simple incantation you can put in /etc/rc.conf:
>
> pf_enable="YES"
> pflog_enable="YES"
>
> and in /etc/pf.conf:
>
> # replace interface name as appropriate
> ext_if="fxp0"
> nat on $ext_if from any to any -> ($ext_if)
>
> Start it like this:
>
> # /etc/rc.d/pf start
> # /etc/rc.d/pflog start
>
> It should Just Work[TM]. pf is loadable as a module, so you shouldn't
> even
> have to recompile your kernel.
>
> Regards,
>
> Brian.
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00e901c6763c$e46c5ca0$0b64400a>