Any *Working* Examples of kernel-based (IPFW2-based) NAT
onFreeBSD 7.1-STABLE?
Systems Engineering Group
mailinglistmember at mgwigglesworth.net
Mon Jun 29 03:39:40 UTC 2009
The natd command should use the -interface switch, or -n however, the
best ways to become informed about natd is to simply run a man natd and
read the part about "Running natd," because you will get more out of it.
man ipfw is also very informative.
On Sun, 2009-06-28 at 22:56 -0400, Systems Engineering Group wrote:
> I don't know why you are attempting to be so "eligant" which is a
> smart-guy way of saying making something more complex by leaving out
> certain things that are still relivant, but "messy" as an experienced
> person would see it) if you are new to the methods.
>
> First, you need to make sure that natd is doing its job, by making sure
> that you have natd turned on, and that it is using the correct
> interface.
>
> Second, when you have verified that the natd configuration is accurate,
> and usable, the kernel needs to be verified to have the correct options,
> and that the ipfw rules, setup.
>
> You only need divert, and ipfirewall, with ipfirewall_verbose if you
> want logging.
>
> With these kernel options in place, you need to compile and install the
> kernel correlative to these installed kernel options for the firewalling
> functionality, with divertion to work.
>
> Given these aspects of the system are installed, then you only need to
> place a natd divert rule into the script for your ipfw-centric firewall.
>
> An example would be to start natd with the following included in either
> commandline options, or config file referenced at commandline call to
> natd (natd -f /path/to/natd/config)
>
> at the commandline, or requisite init script: natd -i $divert_iface -d
>
> This should start natd with the -i switch giving indication to natd what
> device is used to be translated (from/to).
>
> After verfication of initialization of the natd daemon via `sockstat |
> grep natd` you should then test divert rules within your ipfw script, or
> via dynamic rules that you sent at commandline.
>
> The simplest way to test the operation of the divert rules is to do the
> following.
>
> ipfw add 100 pass log tcp from any to any in via $divert_iface
>
> #The traffic coming into the external ip addresss will be "diverted" to
> the internal network ip range.
> ipfw add 200 divert natd ip from any to any in via $divert_iface
>
> ##
> #Rules 201-499 will be used to filter on the internal addresses after
> being mangled by the kernel.
> #They will now look like they are going to #the internal address, not
> the external ip address, so internal-ip-based
> #rules will be affective at this time.
> ##
>
> #This rule will divert traffic going from the internal network to the
> external network
> ipfw add 500 divert natd ip from any to any out via $divert_iface
>
> This is a very brief view of an example that works with freebsd.
> I would stay away from the complex "elegant" solutions that you
> referenced in your original post, on or about June 14th, until you
> verify that your solution is working properly.
>
> Check out the handbook, and the information on firewalling on onlamp.org
> and the freebsd handbook.
>
> I am just doing a datadump of my own experience right now, so if you
> have any further questions, then just post them and we can take a look.
>
> The setup is not very difficult, once you have the basics down.
>
> I have about thirty rules in my script, but about 20 of them have to do
> with filtering different stuff, which is merely skipto to a deletion
> rule with logging.
>
> ipfw and natd are not very difficult to use, however, that simplicity is
> also what makes it such a powerful network appliance solution. I have
> heard the ipnat + netfilter is supposedly more powerful solution,
> because ipnat does certain things better than natd, however, that is
> something for further exploration, and I have not had a need to do so,
> as of yet.
>
> I hope this assists your in your setup endeavor.
>
> Respectfully,
>
> Martes
>
More information about the freebsd-ipfw
mailing list