Kernel Config for NAT
Ian Smith
smithi at nimnet.asn.au
Fri Apr 9 15:07:36 UTC 2010
On Fri, 9 Apr 2010, Robert Huff wrote:
> Ian Smith writes:
>
> > > So ... double-checking I'm doing this right:
> > >
> > > 1) in /boot/loader.conf:
> > >
> > > ipfw_load="YES"
> > > ipdivert_load="YES"
> >
> > I thought from your earlier mail that you wanted to use in-kernel
> > NAT?
>
> I want whatever works. :-)
natd works, as ever. ipfw nat is reputed to work faster.
> Beyond that ... all other things being more-or-less equal I'll
> do this with modules.
> Let's build that. So in /etc/sysctl.conf:
>
> net.inet.ip.fw.default_to_accept="1"
> net.inet.ip.fw.verbose="1"
> net.inet.ip.fw.verbose_limit="100"
>
> check.
>
> > I believe all these can be accomplished with modules on GENERIC
> > kernel, at least on 8.x, with the exception of FIREWALL_FORWARD
> > functionality which does require a custom kernel as it messes
> > with lots of ip paths.
>
> This machine has a custom kernel, so that's not a an issue.
> And in /boot/loader.conf:
>
> ipfw_load="YES"
> ipfw_nat="YES" # in-kernel ipfw nat
> libalias="YES" # for in-kernel ipfw nat
ipfw_nat_load="YES"
libalias_load="YES"
> check.
> and in the kernel config:
>
> #options IPFIREWALL #firewall
> #options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
>
> options IPFIREWALL_FORWARD
Planning on using any 'fwd' rules?
> #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
> #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
> #options IPDIVERT
> #options IPFIREWALL_NAT #ipfw kernel nat support
> #options LIBALIAS # required for NAT
>
> check.
> This combination will get me a) ipfw, using the standard
> rc.conf "firewall_" variables, and b) NAT ... do I still need to
> have a "nat" setting in the firewall rules?
The 'client' ruleset now has rules for either natd or ipfw nat. The
'simple' ruleset works with natd (from natd_enable and natd_interface in
rc.conf), but still lacks the patch for ipfw nat - my remiss for seeking
comment in ipfw@ rather than sending it with a PR, as one should.
Time I redid it, you can be guinea pig :) What freebsd version?
cheers, Ian
More information about the freebsd-questions
mailing list