Date: Sat, 6 Jul 2002 18:36:41 -0500 From: Redmond Militante <r-militante@northwestern.edu> To: Corey Snow <corey@snowpoint.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: stuck on ipfw/natd config Message-ID: <20020706183641.C493@darkpossum> In-Reply-To: <3D27157D.31618.5A9F2A0@localhost>; from corey@snowpoint.com on Sat, Jul 06, 2002 at 04:06:21PM -0700 References: <20020706173549.A493@darkpossum> <3D27157D.31618.5A9F2A0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sr1nOIr3CvdE5hEN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi thanks for responding to everyone. i am going to take the below advice int= o consideration as i give it another try... On Sat, Jul 06, 2002 at 04:06:21PM -0700, Corey Snow expatiated with great = perspicuity: > On 6 Jul 2002, at 17:35, Redmond Militante wrote: >=20 > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > >=20 > > hi all > >=20 >=20 > Hi Redmond! >=20 > > i've been trying to get ipfw/natd going, with no luck. i was wondering= if anyone could point me to some good, *up-to-date* documentation on how t= his is done. i'd like to set up one machine with ipfw/natd &/of ipf/ipnat = (although the documentation on the internet for ipf i find to be even more= =20 > obtuse &/or out of date) to serve as a gateway for about 5-10 machines, a= ll with static ips, although i've installed dhcpd to provide for dhcp machi= nes to be hooked up to it in the future. i've bought 'FreeBSD Unleashed' f= rom SAMS press, but the documentation on setting up ipfw/nat is scant and= =20 > to me it looks like it's missing some really obvious steps - like recompi= ling your kernel for firewall/nat... so i've been mainly following the dire= ctions at http://www.kcgeek.com/content/features/1020842040.blather.howto/f= eature.html, changing a few things for my setup. > >=20 >=20 > Yeah, I know what you mean. I've spent the last few weeks going from=20 > zero to sixty on FreeBSD, natd, and ipfw. I'm probably going to have=20 > to take a stab at updating some of the docs or writing tutorials,=20 > because the documentation, while available, is either obtuse (as you=20 > noted), incomplete, or assumes knowledge that the reader (in my case,=20 > anyway) didn't have. It took a lot of reading, rereading and going to=20 > different sources to get up to speed on how to get it working=20 > properly. >=20 > First, to build support for NAT and IPFW into your kernel, you'll=20 > have to create a custom kernel, using the following options (some are=20 > optional: >=20 > options IPFIREWALL #provides IPFW suport > options IPDIVERT #provides NAT support > options IPFIREWALL_FORWARD #transparent proxy support > options IPFIREWALL_VERBOSE #turn on firewall logging to syslog > #(/var/log/security by default) > options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit log entries. >=20 > Of these, to do ipfw and NAT, you only need IPFWIREWALL and IPDIVERT.=20 > The others are optional depending on what you want to do. If you want=20 > to use the "fwd" command to ipfw, you'll need the IPFIREWALL_FORWARD=20 > option See man ipfw for info on the fwd command- basically it allows=20 > you to forward packets unmodified, which lets you work with=20 > transparent proxies. Don't bother unless you need it. >=20 > I highly recommend using IPFIREWALL_VERBOSE, as it lets your firewall=20 > entries be logged (if you set the "log" option to an ipfw rule). >=20 > The IPFIREWALL_VERBOSE_LIMIT option limits the number of log entries=20 > for a given rule in your ipfw ruleset- it will stop logging after=20 > that nummber of log entries. Unless you think your log is going to=20 > get so large it'll overflow your /var partition, I wouldn't bother=20 > with this- it makes debugging your rules harder. You can always add=20 > it back in later. >=20 > > i haven't even gotten to configuring any rules for the firewall, as i c= an't even seem to get natd to work as of yet. here's my system specs: del= l optiplex gx150 1 ghz, 128 meg ram, 2 nics - one integrated 3com 3c905x, o= ne pci 3com 3c905x. freebsd4.6. the pci nic -xl0 - is to be used=20 > externally, the integrated nic - xl1 - is to be used for the internal net= work. so far i've: > >=20 > > 1. added the following lines to /etc/rc.conf > >=20 > > gateway_enable=3D"YES"=20 > > natd_enable=3D"YES"=20 > > natd_interface=3D"xl1"=20 > > natd_flags=3D"-s -u -m"=20 > > firewall_enable=3D"YES"=20 > > firewall_logging_enable=3D"YES"=20 > > firewall_quiet=3D"NO"=20 > > firewall_type=3D"open"=20 > > hostname=3D"[your hostname here]"=20 > > ifconfig_xl0=3D"inet xxx.xxx.xxx.xxx (my static ip) netmask 255.255.255= .0" //external nic > > ifconfig_xl1=3D"inet 192.168.70.230 netmask 255.255.255.0" //internal n= ic > >=20 >=20 > Move the hostname and ifconfig lines to the top; I had better success=20 > when the interfaces had been cofigured before the firewall and NAT=20 > were started. >=20 > You should only need the -s option to natd if you're running IRC or=20 > FTP stuff. Me, I just use passive FTP and when I use IRC, I never use=20 > DCC anyway, and screw ident probes. ;-) >=20 > The -u option to natd is probably redundant, unless you're using non- > RFC1918 addresses behind your natd box. >=20 > -m isn't necessary unless you have a specific need for it. Generally,=20 > this is only used if you need to do RPC or something like that from=20 > behind the firewall. >=20 > > 2. then i downloaded dhcp-3.0pl1.tar.gz from ISC's ftp site to /usr/src= . =20 > > gzip -cd dhcp-3.0.tar.gz | tar xvf > > cd dhcp-3.0pl1 > > ./configure > > make, make install > >=20 >=20 > Why didn't you use the cvsup method? Just suck down the ports tree,=20 > cd /usr/ports/net/isc-dhcpd and make, make install. That worked like=20 > a dream for me. >=20 > > 3. created /usr/local/etc/rc.d/dhcpd.sh > >=20 > > #!/bin/sh > > /usr/sbin/dhcpd xl1 -q=20 > >=20 > > 4.Opened /etc/dhcpd.conf: # vi /etc/dhcpd.conf=20 > > =20 > > and inserted the following lines:=20 > > =20 > > option domain-name "[my internal network domain name here]";=20 > > option domain-name-servers [my DNS server IP here];=20 > > ddns-updates off;=20 > > ddns-update-style none;=20 > > =20 > > default-lease-time 600;=20 > > max-lease-time 7200;=20 > > =20 > > authoritative;=20 > > =20 > > subnet 192.168.70.0 netmask 255.255.255.0 {=20 > > range 192.168.70.100 192.168.70.150; option domain-name "[my internal n= etworks domain name here]"; option domain-name-servers [my DNS server IP he= re];=20 > > =20 > > default-lease-time 600;=20 > > max-lease-time 7200;=20 > > option routers 192.168.70.230; option broadcast-address 192.168.70.255;= =20 > > default-lease-time 600;=20 > > max-lease-time 7200;=20 > > }=20 > >=20 > > 5. # touch /var/db/dhcpd.leases=20 > > # chmod 644 /var/db/dhcpd.leases > >=20 > > start the server: # /usr/local/etc/rc.d/dhcpd.conf > > #shutdown -r now, reboot > >=20 >=20 > In my case, I only use the dhcrelay agent, not the dhcpd itself, so I=20 > can't offer any advice on this. >=20 > > change default gateway on 2nd machine to external nic's ip > > i have: ethernet cable from wall (t100 line) to external nic, ethernet = cable from internal nic to hublet, ethernet cable from hublet to 2nd machin= e. > > reboot both machines, and it doesn't seem to work. the 2nd machine is = a webserver, i can't go to a third machine and bring up any pages. >=20 > I'm not too clear on this, but it sounds like you want to use NAT to=20 > allow connections to come from "outside" into your internal address=20 > space, behind your natd box (which should be RFC1918), to your web=20 > server. If this is the case, you should be looking into the - > redirect_address and -redirect_port options to natd. Normally NAT is=20 > used to primarily allow a set of hosts configured with private IP=20 > addresses to go outbound sharing a single public IP. Going the other=20 > way requires that connections be redirected, either by port or by=20 > address. well, i want to stick the webserver behind the nat, and still be able to se= rve up pages to the outside world, as well as sit at the machine and surf t= he internet on it, as usual. i want machines outside the internal network = to be able to view webpages that resolve to the webserver's url &/or proper= ip address. so yeah, i want the nat to be invisible to the outside world = regardless or which direction the traffic's going to flow... sorry i didn't= make myself clear. >=20 > At any rate, you won't get any traffic through your NAT box unless=20 > you have some firewall rules set up. See the FreeBSD handbook,=20 > section Advanced Networking for info on setting up NAT and dealing=20 > with ipfw. >=20 i had firewall_type=3D"open" in my /etc/rc.conf. wouldn't that at least al= low me to serve up webpages at this point, albeit while not having any fire= wall rules in place? thanks again redmond > Good luck, >=20 > Corey Snow >=20 >=20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9J38EFNjun16SvHYRAoeXAJ49k7Qi0/+LqQD6mpthRbfe5VosQQCdG+Lc /ku9dYeDMYwaMGkttxVm0W0=3D =3DLBDJ -----END PGP SIGNATURE----- --Sr1nOIr3CvdE5hEN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9J38IFNjun16SvHYRAtoiAJ9w2D/ctcyuo8RYQkLJC2uQ1OqGywCcD3qu OFXg3cjbEsZNAcCKBSt57hI= =BG+y -----END PGP SIGNATURE----- --Sr1nOIr3CvdE5hEN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020706183641.C493>