Date: Wed, 26 Feb 2014 23:03:12 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44081 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402262303.s1QN3CW6054704@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Feb 26 23:03:12 2014 New Revision: 44081 URL: http://svnweb.freebsd.org/changeset/doc/44081 Log: Initial merge of IPFW NAT content. Tomorrow's commits will review the technical content. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 22:19:04 2014 (r44080) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 23:03:12 2014 (r44081) @@ -1999,6 +1999,18 @@ options IPDIVERT # enables NAT</pro <replaceable>interface-name</replaceable> to specify the interface the packet is traveling over.</para> + <note> + <para>When first creating or testing a firewall ruleset, + consider temporarily setting this tunable:</para> + + <programlisting>net.inet.ip.fw.default_to_accept="1"</programlisting> + + <para>This sets the default policy of &man.ipfw.8; to + be more permissive than the default <literal>deny ip from + any to any</literal>, making it slightly more difficult + to get locked out of the system right after a reboot.</para> + </note> + <para>The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the <literal>cmd</literal> variable so that @@ -2122,31 +2134,86 @@ pif="dc0" # interface name of NIC at </sect2> <sect2 xml:id="network-natd"> + <info> <title>Configuring <acronym>NAT</acronym></title> + <authorgroup> + <author> + <personname> + <firstname>Chern</firstname> + <surname>Lee</surname> + </personname> + <contrib>Contributed by </contrib> + </author> + </authorgroup> + </info> <indexterm> <primary>NAT</primary> <secondary>and <application>IPFW</application></secondary> </indexterm> - <para>There are some additional configuration statements that - need to be enabled to activate the <acronym>NAT</acronym> - function of <application>IPFW</application>. For a - customized kernel, the kernel configuration file needs - <literal>option IPDIVERT</literal> added to the other + <para>&os;'s built-in + <acronym>NAT</acronym> daemon, &man.natd.8;, works in + conjunction with <application>IPFW</application> to provide + network address translation. This can be used to provide an + Internet Connection Sharing solution so that + several internal computers can connect to the Internet using + <acronym>IP</acronym> address.</para> + + <para>To do this, the &os; machine connected to the Internet + must act as a gateway. This gateway machine must have two + <acronym>NIC</acronym>s: one connects to the Internet router + and the other connects to a <acronym>LAN</acronym>. All the + machines on the <acronym>LAN</acronym> are connected through + a hub or switch.</para> + + <para>Each machine and interface behind the + <acronym>LAN</acronym> should be assigned + <acronym>IP</acronym> addresses in the private network space, + as defined by <link + xlink:href="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC + 1918</link>, and have a default gateway of the + &man.natd.8; machine's internal <acronym>IP</acronym> + address.</para> + + <para>Some additional configuration is + needed in order to activate the <acronym>NAT</acronym> + function of <application>IPFW</application>. If the system + has a custom kernel, the kernel configuration file needs to + include <literal>option IPDIVERT</literal> with the other <literal>IPFIREWALL</literal> options.</para> - <para>In addition to the normal - <application>IPFW</application> options in - <filename>/etc/rc.conf</filename>, the following are - needed:</para> - - <programlisting>natd_enable="YES" # Enable <acronym>NAT</acronym>D function -natd_interface="rl0" # interface name of public Internet NIC + <para>To enable firewall and <acronym>NAT</acronym> support at + boot time, the following must be in + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>gateway_enable="YES" # enables the gateway function +natd_enable="YES" # enables the <acronym>NAT</acronym> function +natd_interface="rl0" # specify interface name of NIC attached to Internet natd_flags="-dynamic -m" # -m = preserve port numbers if possible</programlisting> - <para>Utilizing stateful rules with a <literal>divert + <note> + <para>It is also possible to use a configuration file for + &man.natd.8; when there are too many options to pass. In + this case, the configuration file must be defined by adding + the following line to + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>natd_flags="-f /etc/natd.conf"</programlisting> + + <para>A list of configuration options, one per line, can be + added to <filename>/etc/natd.conf</filename>. For + example:</para> + + <programlisting>redirect_port tcp 192.168.0.2:6667 6667 +redirect_port tcp 192.168.0.3:80 80</programlisting> + + <para>For more information about this configuration file, + consult &man.natd.8;.</para> + </note> + + <para>Utilizing stateful rules with a <literal>divert natd</literal> rule complicates the ruleset logic. The positioning of the <literal>check-state</literal>, and <literal>divert natd</literal> rules in the ruleset is @@ -2431,7 +2498,131 @@ pif="rl0" # public interface name of # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ###############################</programlisting> - </sect2> + + <sect3> + <title>Port Redirection</title> + + <para>The drawback with &man.natd.8; is that the + <acronym>LAN</acronym> clients are not accessible from the + Internet. Clients on the <acronym>LAN</acronym> can make + outgoing connections to the world but cannot receive incoming + ones. This presents a problem if trying to run Internet + services on one of the <acronym>LAN</acronym> client machines. + A simple way around this is to redirect selected Internet + ports on the &man.natd.8; machine to a <acronym>LAN</acronym> + client.</para> + + <para>For example, an <acronym>IRC</acronym> server runs on + client <systemitem>A</systemitem> and a web server runs on + client <systemitem>B</systemitem>. For this to work properly, + connections received on ports 6667 (<acronym>IRC</acronym>) + and 80 (<acronym>HTTP</acronym>) must be redirected to the + respective machines.</para> + + <para>The syntax for <option>-redirect_port</option> is as + follows:</para> + + <programlisting> -redirect_port proto targetIP:targetPORT[-targetPORT] + [aliasIP:]aliasPORT[-aliasPORT] + [remoteIP[:remotePORT[-remotePORT]]]</programlisting> + + <para>In the above example, the argument should be:</para> + + <programlisting> -redirect_port tcp 192.168.0.2:6667 6667 + -redirect_port tcp 192.168.0.3:80 80</programlisting> + + <para>This redirects the proper <acronym>TCP</acronym> ports + to the <acronym>LAN</acronym> client machines.</para> + + <para>Port ranges over individual ports can be indicated with + <option>-redirect_port</option>. For example, + <replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable> + would redirect all connections received on ports 2000 to 3000 + to ports 2000 to 3000 on client + <systemitem>A</systemitem>.</para> + + <para>These options can be used when directly running + &man.natd.8;, placed within the + <literal>natd_flags=""</literal> option in + <filename>/etc/rc.conf</filename>, or passed via a + configuration file.</para> + + <para>For further configuration options, consult + &man.natd.8;</para> + </sect3> + + <sect3> + <title>Address Redirection</title> + + <indexterm> + <primary>address redirection</primary> + </indexterm> + + <para>Address redirection is useful if more than one + <acronym>IP</acronym> address is available. Each + <acronym>LAN</acronym> client can be assigned its own + external <acronym>IP</acronym> address by &man.natd.8;, + which will then rewrite outgoing packets from the + <acronym>LAN</acronym> clients with the proper external + <acronym>IP</acronym> address and redirects all traffic + incoming on that particular <acronym>IP</acronym> address + back to the specific <acronym>LAN</acronym> client. This is + also known as static <acronym>NAT</acronym>. For example, + if <acronym>IP</acronym> addresses <systemitem + class="ipaddress">128.1.1.1</systemitem>, <systemitem + class="ipaddress">128.1.1.2</systemitem>, and <systemitem + class="ipaddress">128.1.1.3</systemitem> are available, + <systemitem class="ipaddress">128.1.1.1</systemitem> can be + used as the &man.natd.8; machine's external + <acronym>IP</acronym> address, while <systemitem + class="ipaddress">128.1.1.2</systemitem> and <systemitem + class="ipaddress">128.1.1.3</systemitem> are forwarded back + to <acronym>LAN</acronym> clients <systemitem>A</systemitem> + and <systemitem>B</systemitem>.</para> + + <para>The <option>-redirect_address</option> syntax is as + follows:</para> + + <programlisting>-redirect_address localIP publicIP</programlisting> + + + <informaltable frame="none" pgwide="1"> + <tgroup cols="2"> + <tbody> + <row> + <entry>localIP</entry> + <entry>The internal <acronym>IP</acronym> address of + the <acronym>LAN</acronym> client.</entry> + </row> + + <row> + <entry>publicIP</entry> + <entry>The external <acronym>IP</acronym> address + corresponding to the <acronym>LAN</acronym> + client.</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In the example, this argument would read:</para> + + <programlisting>-redirect_address 192.168.0.2 128.1.1.2 +-redirect_address 192.168.0.3 128.1.1.3</programlisting> + + <para>Like <option>-redirect_port</option>, these arguments are + placed within the <literal>natd_flags=""</literal> option + of <filename>/etc/rc.conf</filename>, or passed via a + configuration file. With address redirection, there is no + need for port redirection since all data received on a + particular <acronym>IP</acronym> address is redirected.</para> + + <para>The external <acronym>IP</acronym> addresses on the + &man.natd.8; machine must be active and aliased to the + external interface. Refer to &man.rc.conf.5; for + details.</para> + </sect3> +</sect2> <sect2 xml:id="firewalls-ipfw-cmd"> <title>The <application>IPFW</application> Command</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402262303.s1QN3CW6054704>