FreeBSD as Server

Kobus de Wit kobus at cits.com.na
Sat May 13 05:24:56 UTC 2006 

Hi Everyone,

    Based on the communication below I went ahead and activated pf.conf, 
which work (NAT) fine.

    Before I pose my questions, here is an extract of my server config:-
    -    FreeBSD 6.0 server with 2 network cards (1 Public IP and 1 
Internal IP)
    -    pf.conf setup for 4 internal networks and to NAT (which works 
fine)
    -    rc.conf (gateway_enable="YES"
                       inetd_enable="YES"
                       pf_enable="YES"
                       pflog_enable="YES"
                       sshd_enable="YES"
                       usbd_enable="YES"
                       kern_securelevel="3"
                       kern_securelevel_enable="YES") [ some of the 
entries in rc.conf (also some static_routes in there)]

    I have an email (EXIM mail) server in one of the internal networks 
and will have more shortly. The external public IP address of the mail 
server is on the same subnet as my FreeBSD server. I'm unsuccessfully 
trying to, within pf.conf (rdr), to forward traffic destined for the 
mail server to the mail server. My rdr entry within pf.conf is as 
follows:-
    rdr on $ext_if proto tcp from any to $external_addr/32 port 25 -> 
10.64.101.4 port 25. ($external_addr is defined earlier on in pf.conf.)

    Am I missing some entries?

   Should I get my network provider to route traffic for the mail server 
to my FreeBSD server's IP address?

   I was hoping that my FreeBSD server would pick up traffic destined 
for the mail server (seeing that it is defined as such in the pf.conf 
file and on the same subnet) and forward it.

    Regards

    Kobus



----- Original Message ----- 
From: "Brian Candler" <B.Candler at pobox.com>
To: "Alexander" <shulik_freebsd at matrixhome.net>
Cc: <freebsd-isp at freebsd.org>
Sent: Saturday, January 14, 2006 11:38 PM
Subject: Re: FreeBSD as Server


> On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote:
>> I think, that ipfw is native for FreeBSD - it works better than other
>> packet filters. Am I right?
>
> Not really. For NAT in particular, ipfw is pretty awful. You need an
> external daemon (natd) and have to route packets to and from it, which 
> works
> fine if you have a very simple configuration (e.g. single external
> interface, basic NAT-everything-going-out or NAT all RFC1918 address 
> space).
> More complex scenarios can be an utter nightmare to configure 
> properly.
>
> It also has a long history, which means that the configuration syntax 
> isn't
> always very clean because of backwards compatibility requirements.
>
>> When traffic that not be NATed in ng_nat was sent in hook "in" - it 
>> must
>> simply out from it? Or no? Where is trouble?
>
> I can't answer that. All I can say is, if you want NAT there is a very
> simple incantation you can put in /etc/rc.conf:
>
>    pf_enable="YES"
>    pflog_enable="YES"
>
> and in /etc/pf.conf:
>
>    # replace interface name as appropriate
>    ext_if="fxp0"
>    nat on $ext_if from any to any -> ($ext_if)
>
> Start it like this:
>
>    # /etc/rc.d/pf start
>    # /etc/rc.d/pflog start
>
> It should Just Work[TM]. pf is loadable as a module, so you shouldn't 
> even
> have to recompile your kernel.
>
> Regards,
>
> Brian.
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
>
>

More information about the freebsd-isp mailing list