Kernel Config for NAT
Ian Smith
smithi at nimnet.asn.au
Fri Apr 9 09:51:44 UTC 2010
In freebsd-questions Digest, Vol 305, Issue 9, Message: 1
On Thu, 8 Apr 2010 08:10:34 -0400 Robert Huff <roberthuff at rcn.com> wrote:
> Adam Vande More writes:
>
> > > If compiled into the kernel, there's a set of optional settings
> > > (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there.
> > > If using the module, how does one set these?
> > >
> > Logging is compiled into the modules and there are a few sysctl's. AFAIK,
> > everything else is the same.
There are _lots_ of sysctls, even more recently with SCTP support.
> > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
<rant>
This is absolutely the worst section of an otherwise great handbook.
Apart from being way out of date it contains gratuitous deprecation,
inaccuracies and a large number of plain untruths, was largely written
by someone who doesn't use (or like) ipfw, and has examples styled to
duplicate an IPFILTER setup.
Nothing short of a rewrite from scratch could fix it, despite efforts by
several people to clarify aspects; only quite recently the invalid 'ipfw
block' command was removed from it. ipfw(8) is a complete (albeit very
terse) ipfw reference and I thoroughly recommend studying that instead.
Despite what the handbook section says, the sample rules eg the 'simple'
ruleset in rc.firewall ARE these days suitable for immediate use using
rc.conf variables, DO include NAT functionality (either with natd or
ipfw nat) in the _correct_ place in the ruleset, and DO include some
stateful rules; that and ipfw(8) are certainly a better place to start
than the dreadful examples afflicting the handbook since some years.
</rant>
> So ... double-checking I'm doing this right:
>
> 1) in /boot/loader.conf:
>
> ipfw_load="YES"
> ipdivert_load="YES"
I thought from your earlier mail that you wanted to use in-kernel NAT?
If so, rather than divert sockets (using ipfw's divert action) you want:
ipfw_nat_load=YES
libalias_load=YES
> 2) in the kernel config:
>
> #options IPFIREWALL #firewall
> #options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
> #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
> #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
> #options IPDIVERT
> #options IPFIREWALL_NAT #ipfw kernel nat support
> options LIBALIAS # required for NAT
I believe all these can be accomplished with modules on GENERIC kernel,
at least on 8.x, with the exception of FIREWALL_FORWARD functionality
which does require a custom kernel as it messes with lots of ip paths.
If you want to use natd(8) then you'll need ipdivert.ko (as you have
above), but if you want to use in-kernel NAT (not yet mentioned in the
handbook sections for ipfw or natd, though there since 7.0) then you'll
want IPFIREWALL_NAT and LIBALIAS in kernel, or loaded as modules:
ipfw.ko
ipfw_nat.ko # in-kernel ipfw nat
libalias.ko # for in-kernel ipfw nat
dummynet.ko # if wanted
ipdivert.ko # (or) for natd
Basically, natd uses userland libaliasand ipdivert but in-kernel NAT
needs in-kernel libalias. The syntax of nat commands is virtually
identical for natd.conf and ipfw nat commands, see ipfw(8) & natd(8)
> 3) in /etc/sysctl.conf:
>
> net.inet.ip.fw.default_to_accept="1"
Interestingly, that one hasn't yet made it into ipfw(8) .. your choice,
or you can use firewall_type="open" for rc.firewall without that, until
you've got your ruleset in action (when default to deny is advisable)
> net.inet.ip.fw.verbose="1"
> net.inet.ip.fw.verbose_limit="100"
>
>
> That cover it?
Should do .. with the abovementioned exception, take ipfw(8) as being
definitive, ignore the misleading and often just plain wrong handbook
section, and prosper ..
cheers, Ian
More information about the freebsd-questions
mailing list