Questions on "Hide NAT" and 1:1 NAT Scenarios Using IPFW2 insteadof natd

Holger Rauch holger.rauch at empic.de
Sun Jun 14 15:27:07 UTC 2009 

Hi to everybody,

up to now, I've only seen a working example for "hide NAT" (hiding several IP
addresses belonging to an internal private subnet "behind" an official, externally
accessible IP) based on user space natd from one of my former colleagues.

That means I'm new to kernel (IPFW) based NAT and thus asking for help on this mailing
list since the NAT fragments mentioned below don't work for me as expected (i.e.
I see no IPFW log message and no NAT takes place).

I'm referring to a FreeBSD 7.1-STABLE amd64 system with the following kernel options
compiled in (default policy is deny). The machine acts as a gateway (IP forwarding enabled;
no sysctls for layer2 enabled) and has six network interfaces in total 
(bge0, bge1, em0-3). Two different forms of NAT should take place depending on whether
the packets flow between network interfaces bge0<->bge1 (hide NAT) and bge0<->em1
(1:1 NAT for a certain set of hosts). For the remaining interface combinations
bge0<->em0,em2,em3 no NAT should be performed since they are used to gain access to
other internal subnets represented by private IP addresses. The combinations
bge1<->em[0-3] are not permitted (blocked/logged by corresponding IPFW rules):

=========================================

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_FORWARD      #packet destination changes
options         IPFIREWALL_NAT          #ipfw kernel nat support
options         IPDIVERT                #divert sockets
options         DUMMYNET
options         IPSTEALTH               #support for stealth forwarding
options         LIBALIAS

=========================================

So, at least I shouldn't be missing any relevant kernel options, right? 

The following NAT rule fragments were taken from a larger firewall
#! /bin/sh script, which is structured in the following manner:

a) General logging/filtering rules for bogus packets (unsupported private
   IP addresses, broadcasts, illegal inner<->outer network interface
   combinations, etc.)
   number range logging rules: 1000-1499
   number range filtering rules: 1500-1999

b) filtering/logging rules with no NAT (bge0<->em0,em2,em3)
   number range logging rules: 2000-2499
   number range filtering rules: 2500-2999

c) 1:1 NAT fragment (see below)
   fixed rule number: 3000

d) filtering/logging rules to individual hosts for which 1:1 NAT is
   supposed to be performed
   number range logging rules: 3001-3499
   number range filtering rules: 3500-3999

e) hide NAT fragment (see below)
   fixed rule number: 4000

f) filtering/logging rules to individual hosts for which hide NAT is
   supposed to be performed
   number range logging rules: 4001-4499
   number range filtering rules: 4500-4999

OK, here the NAT fragments (inferred from the ipfw man page since I
couldn't find a better resource; unfortunately, neither the IPFW
HOWTO nor the IPFW advanced supplement HOWTO is of help here):

=========================================

# 1:1 NAT (intaddr1...intaddr5 <-> extaddr1...extaddr5)
${fwcmd} add 3000 nat 1 all from any to any via em1
${fwcmd} nat 1 config redirect_addr intaddr1 extaddr1 \
redirect_addr intaddr2 extaddr2 \
redirect_addr intaddr3 extaddr3 \
redirect_addr intaddr4 extaddr4 \
redirect_addr intaddr5 extaddr5

==========================================

Would the following alternative approach achieve the same (seems slightly
more elegant to me)?

==========================================

int_nat_hosts="\{ intaddr1,intaddr2,intaddr3,intaddr4,intaddr5 \}"
ext_nat_hosts="\{ extaddr1,extaddr2,extaddr3,extaddr4,extaddr5 \}"
${fwcmd} nat 1 config redirect_addr ${int_nat_hosts} ${ext_nat_hosts}

# hide NAT (10.51.0.0/16 -> one externally accessible IP address aa.bb.cc.dd)
${fwcmd} nat 2 config ip aa.bb.cc.dd log deny_in reset same_ports
${fwcmd} add 4000 nat 2 all from any to any via bge1

==========================================

General questions on both NAT scenarios:

- How to debug IPFW-based NAT in general?
- Is it OK to use "from any to any" in the ...add nat... rules above or would you
  recommend specifying the address ranges explictly?
- Would using "skipto" rules be a good alternative here?

In case you need additional info, please don't hesitate to ask.

Thanks in advance for any help!

Kind regards,

	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20090614/5ae9f859/attachment.pgp

More information about the freebsd-ipfw mailing list