Kernel Config for NAT

Ian Smith smithi at nimnet.asn.au
Fri Apr 9 09:51:44 UTC 2010 

In freebsd-questions Digest, Vol 305, Issue 9, Message: 1
On Thu, 8 Apr 2010 08:10:34 -0400 Robert Huff <roberthuff at rcn.com> wrote:
 > Adam Vande More writes:
 > 
 > >  >        If compiled into the kernel, there's a set of optional settings
 > >  > (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there.
 > >  >        If using the module, how does one set these?
 > >  >
 > >  Logging is compiled into the modules and there are a few sysctl's.  AFAIK,
 > >  everything else is the same.

There are _lots_ of sysctls, even more recently with SCTP support.

 > >  http://www.freebsd.org/doc/handbook/firewalls-ipfw.html

<rant>

This is absolutely the worst section of an otherwise great handbook.  
Apart from being way out of date it contains gratuitous deprecation, 
inaccuracies and a large number of plain untruths, was largely written 
by someone who doesn't use (or like) ipfw, and has examples styled to 
duplicate an IPFILTER setup.

Nothing short of a rewrite from scratch could fix it, despite efforts by 
several people to clarify aspects; only quite recently the invalid 'ipfw 
block' command was removed from it.  ipfw(8) is a complete (albeit very
terse) ipfw reference and I thoroughly recommend studying that instead.

Despite what the handbook section says, the sample rules eg the 'simple' 
ruleset in rc.firewall ARE these days suitable for immediate use using 
rc.conf variables, DO include NAT functionality (either with natd or 
ipfw nat) in the _correct_ place in the ruleset, and DO include some 
stateful rules; that and ipfw(8) are certainly a better place to start 
than the dreadful examples afflicting the handbook since some years.
</rant>

 > 	So ... double-checking I'm doing this right:
 > 
 > 1) in /boot/loader.conf:
 > 
 > ipfw_load="YES"
 > ipdivert_load="YES"

I thought from your earlier mail that you wanted to use in-kernel NAT?

If so, rather than divert sockets (using ipfw's divert action) you want:
ipfw_nat_load=YES
libalias_load=YES

 > 2) in the kernel config:
 > 
 > #options  IPFIREWALL              #firewall
 > #options  IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
 > #options  IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
 > #options  IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
 > #options  IPDIVERT
 > #options  IPFIREWALL_NAT          #ipfw kernel nat support
 > options  LIBALIAS				# required for NAT

I believe all these can be accomplished with modules on GENERIC kernel, 
at least on 8.x, with the exception of FIREWALL_FORWARD functionality
which does require a custom kernel as it messes with lots of ip paths.

If you want to use natd(8) then you'll need ipdivert.ko (as you have 
above), but if you want to use in-kernel NAT (not yet mentioned in the 
handbook sections for ipfw or natd, though there since 7.0) then you'll 
want IPFIREWALL_NAT and LIBALIAS in kernel, or loaded as modules:

ipfw.ko
ipfw_nat.ko	# in-kernel ipfw nat
libalias.ko	# for in-kernel ipfw nat
dummynet.ko	# if wanted
ipdivert.ko	# (or) for natd

Basically, natd uses userland libaliasand ipdivert but in-kernel NAT 
needs in-kernel libalias.  The syntax of nat commands is virtually 
identical for natd.conf and ipfw nat commands, see ipfw(8) & natd(8)

 > 3) in /etc/sysctl.conf:
 > 
 > net.inet.ip.fw.default_to_accept="1"

Interestingly, that one hasn't yet made it into ipfw(8) .. your choice, 
or you can use firewall_type="open" for rc.firewall without that, until 
you've got your ruleset in action (when default to deny is advisable)

 > net.inet.ip.fw.verbose="1"
 > net.inet.ip.fw.verbose_limit="100"
 > 
 > 
 > 	That cover it?

Should do .. with the abovementioned exception, take ipfw(8) as being 
definitive, ignore the misleading and often just plain wrong handbook 
section, and prosper ..

cheers, Ian

More information about the freebsd-questions mailing list