From owner-svn-doc-all@FreeBSD.ORG Wed Feb 26 23:03:12 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CCD0841F; Wed, 26 Feb 2014 23:03:12 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AD46116F0; Wed, 26 Feb 2014 23:03:12 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1QN3CcG054705; Wed, 26 Feb 2014 23:03:12 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1QN3CW6054704; Wed, 26 Feb 2014 23:03:12 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402262303.s1QN3CW6054704@svn.freebsd.org> From: Dru Lavigne Date: Wed, 26 Feb 2014 23:03:12 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44081 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 23:03:12 -0000 Author: dru Date: Wed Feb 26 23:03:12 2014 New Revision: 44081 URL: http://svnweb.freebsd.org/changeset/doc/44081 Log: Initial merge of IPFW NAT content. Tomorrow's commits will review the technical content. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 22:19:04 2014 (r44080) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 23:03:12 2014 (r44081) @@ -1999,6 +1999,18 @@ options IPDIVERT # enables NATinterface-name to specify the interface the packet is traveling over. + + When first creating or testing a firewall ruleset, + consider temporarily setting this tunable: + + net.inet.ip.fw.default_to_accept="1" + + This sets the default policy of &man.ipfw.8; to + be more permissive than the default deny ip from + any to any, making it slightly more difficult + to get locked out of the system right after a reboot. + + The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the cmd variable so that @@ -2122,31 +2134,86 @@ pif="dc0" # interface name of NIC at + Configuring <acronym>NAT</acronym> + + + + Chern + Lee + + Contributed by + + + NAT and IPFW - There are some additional configuration statements that - need to be enabled to activate the NAT - function of IPFW. For a - customized kernel, the kernel configuration file needs - option IPDIVERT added to the other + &os;'s built-in + NAT daemon, &man.natd.8;, works in + conjunction with IPFW to provide + network address translation. This can be used to provide an + Internet Connection Sharing solution so that + several internal computers can connect to the Internet using + IP address. + + To do this, the &os; machine connected to the Internet + must act as a gateway. This gateway machine must have two + NICs: one connects to the Internet router + and the other connects to a LAN. All the + machines on the LAN are connected through + a hub or switch. + + Each machine and interface behind the + LAN should be assigned + IP addresses in the private network space, + as defined by RFC + 1918, and have a default gateway of the + &man.natd.8; machine's internal IP + address. + + Some additional configuration is + needed in order to activate the NAT + function of IPFW. If the system + has a custom kernel, the kernel configuration file needs to + include option IPDIVERT with the other IPFIREWALL options. - In addition to the normal - IPFW options in - /etc/rc.conf, the following are - needed: - - natd_enable="YES" # Enable NATD function -natd_interface="rl0" # interface name of public Internet NIC + To enable firewall and NAT support at + boot time, the following must be in + /etc/rc.conf: + + gateway_enable="YES" # enables the gateway function +natd_enable="YES" # enables the NAT function +natd_interface="rl0" # specify interface name of NIC attached to Internet natd_flags="-dynamic -m" # -m = preserve port numbers if possible - Utilizing stateful rules with a divert + + It is also possible to use a configuration file for + &man.natd.8; when there are too many options to pass. In + this case, the configuration file must be defined by adding + the following line to + /etc/rc.conf: + + natd_flags="-f /etc/natd.conf" + + A list of configuration options, one per line, can be + added to /etc/natd.conf. For + example: + + redirect_port tcp 192.168.0.2:6667 6667 +redirect_port tcp 192.168.0.3:80 80 + + For more information about this configuration file, + consult &man.natd.8;. + + + Utilizing stateful rules with a divert natd rule complicates the ruleset logic. The positioning of the check-state, and divert natd rules in the ruleset is @@ -2431,7 +2498,131 @@ pif="rl0" # public interface name of # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ############################### - + + + Port Redirection + + The drawback with &man.natd.8; is that the + LAN clients are not accessible from the + Internet. Clients on the LAN can make + outgoing connections to the world but cannot receive incoming + ones. This presents a problem if trying to run Internet + services on one of the LAN client machines. + A simple way around this is to redirect selected Internet + ports on the &man.natd.8; machine to a LAN + client. + + For example, an IRC server runs on + client A and a web server runs on + client B. For this to work properly, + connections received on ports 6667 (IRC) + and 80 (HTTP) must be redirected to the + respective machines. + + The syntax for is as + follows: + + -redirect_port proto targetIP:targetPORT[-targetPORT] + [aliasIP:]aliasPORT[-aliasPORT] + [remoteIP[:remotePORT[-remotePORT]]] + + In the above example, the argument should be: + + -redirect_port tcp 192.168.0.2:6667 6667 + -redirect_port tcp 192.168.0.3:80 80 + + This redirects the proper TCP ports + to the LAN client machines. + + Port ranges over individual ports can be indicated with + . For example, + tcp 192.168.0.2:2000-3000 2000-3000 + would redirect all connections received on ports 2000 to 3000 + to ports 2000 to 3000 on client + A. + + These options can be used when directly running + &man.natd.8;, placed within the + natd_flags="" option in + /etc/rc.conf, or passed via a + configuration file. + + For further configuration options, consult + &man.natd.8; + + + + Address Redirection + + + address redirection + + + Address redirection is useful if more than one + IP address is available. Each + LAN client can be assigned its own + external IP address by &man.natd.8;, + which will then rewrite outgoing packets from the + LAN clients with the proper external + IP address and redirects all traffic + incoming on that particular IP address + back to the specific LAN client. This is + also known as static NAT. For example, + if IP addresses 128.1.1.1, 128.1.1.2, and 128.1.1.3 are available, + 128.1.1.1 can be + used as the &man.natd.8; machine's external + IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back + to LAN clients A + and B. + + The syntax is as + follows: + + -redirect_address localIP publicIP + + + + + + + localIP + The internal IP address of + the LAN client. + + + + publicIP + The external IP address + corresponding to the LAN + client. + + + + + + In the example, this argument would read: + + -redirect_address 192.168.0.2 128.1.1.2 +-redirect_address 192.168.0.3 128.1.1.3 + + Like , these arguments are + placed within the natd_flags="" option + of /etc/rc.conf, or passed via a + configuration file. With address redirection, there is no + need for port redirection since all data received on a + particular IP address is redirected. + + The external IP addresses on the + &man.natd.8; machine must be active and aliased to the + external interface. Refer to &man.rc.conf.5; for + details. + + The <application>IPFW</application> Command