FreeBSD Gateway problems

Glenn Dawson glenn at antimatter.net
Mon Aug 15 09:15:57 GMT 2005 

At 01:46 AM 8/15/2005, Tim Holmes wrote:

>For years I've used a FreeBSD as my gateway.  Well I haven't had a high
>speed connection for 3 years now, and I've just gotten it back.  Since
>then I've reloaded the machine from 4.3 to 5.3.  I thought I had it all
>set up so when I did get connection, I could make a quick edit to my
>rc.conf and I'd be ready to go.  Well turns out I was way off.
>
>The machine has no problems geting an IP from the cable modem, and I can
>get anywhere I want from that machine directly.  (I'm currently ssh'd to
>the router machine to send email, use w3m to find How-Tos)  But it won't
>pass traffic from the rest of the network.
>
>Here are the settings in my rc.conf:
>
>gateway_enable="YES"              # Enable as Lan gateway
># firewall_enable="YES"
>natd_enable="YES"
>natd_interface="xl0"
>natd_flags="-f /etc/natd.conf"
>ipmon_enable="YES"
>ipmon_flags="-Ds"
>
>The firewall_enable is disable now because when it's turned on, I can't
>actually get out from directly on the machine.  At this point I just want
>it to do the routing and then I can work on building a firewall afterwards.

If you use options IPFIREWALL_DEFAULT_TO_ACCEPT that will allow you to get 
the other things working, and you can figure out your firewall rules once 
everything else works.


>Before I did the update and rebuilt the kernel yesterday, I had these options
>in rc.conf
>
># ipnat_enable="YES"                # Start ipnat function
># ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat
># ipfilter_enable="YES"             # Start ipf firewall
># ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
>
>Well all these other How-Tos I found on FreeBSDDiary.org told me all I needed
>was "gateway_enable=YES" and "firewall_enable=YES".  Also to add these two
>options to the kernel:
>
>options IPFILTER
>options IPDIVERT

To use ipfw adding these options to your kernel is a good place to start:

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_DEFAULT_TO_ACCEPT

If you're using natd, you'll also want:

options         IPDIVERT

If you want to use ipnat (ipfilter) you'll want:

options         IPFILTER



>But that wasn't working.  Another mentioned I needed 
>defaultrouter="192.168.2.254",
>but that's not doing it either.  It wasn't actually running nat, and I'd 
>get errors
>if I tried to start.  Here's the message I saw at boot after a new kernel.

The default router for the FreeBSD machine should be supplied by the dhcp 
server that give you your IP address.

Also, you will need to use NAT since the cable modem probably only gives 
you a single IP.


>1: unexpected keyword (any) - from
>/sbin/ipf: /etc/ipf.rules: parse error (-1), quitting
>/etc/rc: WARNING: NO IPNAT RULES
>
>After following some other How-Tos I tried running ipfw, but I keep 
>getting an error
>message that won't return any helpful searches from Google.
>
># ipnat -f /etc/ipnat.conf
>ioctl(SIOCGNATS): Operation not permitted
># ipfw -f flush
>ipfw: setsockopt(IP_FW_FLUSH): Protocol not available
># ipf -FA -f /etc/ipf.rules
>ioctl(SIOCIPFFL): Operation not permitted
># ipfw add divert natd all from any to any via xl0
>ipfw: getsockopt(IP_FW_ADD): Protocol not available

The errors suggest that ipfw isn't in your kernel, and likely is not loaded 
from a module.  Is kldstat doesn't show it loaded, and you don't have 
OPTIONS IPFIREWALL in your kernel, that will cause errors like those.

If you'd like some sample configs, contact me off list and I'll send you 
copies of some that I typically use as a starting point.

-Glenn


>None of those error messages will give me anything to go.  So I'm at a 
>lose here.  Can
>anybody point me to How-To, or share their rc.conf edits to make this work?
>
>I know this was a little long, but thanks in advance for the help.
>
>tdh
>--
>  ----------------+-------------------------------------------------
>        \./       |     Tim Holmes  --  em at il: tim at unixtechs.org
>       (0Y0)      |         UIN: 17021091  -- AIM: tdh004
>  -ooO--(_)--Ooo--+-------------------------------------------------
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list