Date: Sat, 6 Jul 2002 16:06:21 -0700 From: "Corey Snow" <corey@snowpoint.com> To: Redmond Militante <r-militante@northwestern.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: stuck on ipfw/natd config Message-ID: <3D27157D.31618.5A9F2A0@localhost> In-Reply-To: <20020706173549.A493@darkpossum>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Jul 2002, at 17:35, Redmond Militante wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hi all > Hi Redmond! > i've been trying to get ipfw/natd going, with no luck. i was wondering if anyone could point me to some good, *up-to-date* documentation on how this is done. i'd like to set up one machine with ipfw/natd &/of ipf/ipnat (although the documentation on the internet for ipf i find to be even more obtuse &/or out of date) to serve as a gateway for about 5-10 machines, all with static ips, although i've installed dhcpd to provide for dhcp machines to be hooked up to it in the future. i've bought 'FreeBSD Unleashed' from SAMS press, but the documentation on setting up ipfw/nat is scant and to me it looks like it's missing some really obvious steps - like recompiling your kernel for firewall/nat... so i've been mainly following the directions at http://www.kcgeek.com/content/features/1020842040.blather.howto/feature.html, changing a few things for my setup. > Yeah, I know what you mean. I've spent the last few weeks going from zero to sixty on FreeBSD, natd, and ipfw. I'm probably going to have to take a stab at updating some of the docs or writing tutorials, because the documentation, while available, is either obtuse (as you noted), incomplete, or assumes knowledge that the reader (in my case, anyway) didn't have. It took a lot of reading, rereading and going to different sources to get up to speed on how to get it working properly. First, to build support for NAT and IPFW into your kernel, you'll have to create a custom kernel, using the following options (some are optional: options IPFIREWALL #provides IPFW suport options IPDIVERT #provides NAT support options IPFIREWALL_FORWARD #transparent proxy support options IPFIREWALL_VERBOSE #turn on firewall logging to syslog #(/var/log/security by default) options IPFIREWALL_VERBOSE_LIMIT=100 #limit log entries. Of these, to do ipfw and NAT, you only need IPFWIREWALL and IPDIVERT. The others are optional depending on what you want to do. If you want to use the "fwd" command to ipfw, you'll need the IPFIREWALL_FORWARD option See man ipfw for info on the fwd command- basically it allows you to forward packets unmodified, which lets you work with transparent proxies. Don't bother unless you need it. I highly recommend using IPFIREWALL_VERBOSE, as it lets your firewall entries be logged (if you set the "log" option to an ipfw rule). The IPFIREWALL_VERBOSE_LIMIT option limits the number of log entries for a given rule in your ipfw ruleset- it will stop logging after that nummber of log entries. Unless you think your log is going to get so large it'll overflow your /var partition, I wouldn't bother with this- it makes debugging your rules harder. You can always add it back in later. > i haven't even gotten to configuring any rules for the firewall, as i can't even seem to get natd to work as of yet. here's my system specs: dell optiplex gx150 1 ghz, 128 meg ram, 2 nics - one integrated 3com 3c905x, one pci 3com 3c905x. freebsd4.6. the pci nic -xl0 - is to be used externally, the integrated nic - xl1 - is to be used for the internal network. so far i've: > > 1. added the following lines to /etc/rc.conf > > gateway_enable="YES" > natd_enable="YES" > natd_interface="xl1" > natd_flags="-s -u -m" > firewall_enable="YES" > firewall_logging_enable="YES" > firewall_quiet="NO" > firewall_type="open" > hostname="[your hostname here]" > ifconfig_xl0="inet xxx.xxx.xxx.xxx (my static ip) netmask 255.255.255.0" //external nic > ifconfig_xl1="inet 192.168.70.230 netmask 255.255.255.0" //internal nic > Move the hostname and ifconfig lines to the top; I had better success when the interfaces had been cofigured before the firewall and NAT were started. You should only need the -s option to natd if you're running IRC or FTP stuff. Me, I just use passive FTP and when I use IRC, I never use DCC anyway, and screw ident probes. ;-) The -u option to natd is probably redundant, unless you're using non- RFC1918 addresses behind your natd box. -m isn't necessary unless you have a specific need for it. Generally, this is only used if you need to do RPC or something like that from behind the firewall. > 2. then i downloaded dhcp-3.0pl1.tar.gz from ISC's ftp site to /usr/src. > gzip -cd dhcp-3.0.tar.gz | tar xvf > cd dhcp-3.0pl1 > ./configure > make, make install > Why didn't you use the cvsup method? Just suck down the ports tree, cd /usr/ports/net/isc-dhcpd and make, make install. That worked like a dream for me. > 3. created /usr/local/etc/rc.d/dhcpd.sh > > #!/bin/sh > /usr/sbin/dhcpd xl1 -q > > 4.Opened /etc/dhcpd.conf: # vi /etc/dhcpd.conf > > and inserted the following lines: > > option domain-name "[my internal network domain name here]"; > option domain-name-servers [my DNS server IP here]; > ddns-updates off; > ddns-update-style none; > > default-lease-time 600; > max-lease-time 7200; > > authoritative; > > subnet 192.168.70.0 netmask 255.255.255.0 { > range 192.168.70.100 192.168.70.150; option domain-name "[my internal networks domain name here]"; option domain-name-servers [my DNS server IP here]; > > default-lease-time 600; > max-lease-time 7200; > option routers 192.168.70.230; option broadcast-address 192.168.70.255; > default-lease-time 600; > max-lease-time 7200; > } > > 5. # touch /var/db/dhcpd.leases > # chmod 644 /var/db/dhcpd.leases > > start the server: # /usr/local/etc/rc.d/dhcpd.conf > #shutdown -r now, reboot > In my case, I only use the dhcrelay agent, not the dhcpd itself, so I can't offer any advice on this. > change default gateway on 2nd machine to external nic's ip > i have: ethernet cable from wall (t100 line) to external nic, ethernet cable from internal nic to hublet, ethernet cable from hublet to 2nd machine. > reboot both machines, and it doesn't seem to work. the 2nd machine is a webserver, i can't go to a third machine and bring up any pages. I'm not too clear on this, but it sounds like you want to use NAT to allow connections to come from "outside" into your internal address space, behind your natd box (which should be RFC1918), to your web server. If this is the case, you should be looking into the - redirect_address and -redirect_port options to natd. Normally NAT is used to primarily allow a set of hosts configured with private IP addresses to go outbound sharing a single public IP. Going the other way requires that connections be redirected, either by port or by address. At any rate, you won't get any traffic through your NAT box unless you have some firewall rules set up. See the FreeBSD handbook, section Advanced Networking for info on setting up NAT and dealing with ipfw. Good luck, Corey Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D27157D.31618.5A9F2A0>