Kernel Config for NAT

Ian Smith smithi at nimnet.asn.au
Fri Apr 9 15:07:36 UTC 2010 

On Fri, 9 Apr 2010, Robert Huff wrote:
 > Ian Smith writes:
 > 
 > >   > 	So ... double-checking I'm doing this right:
 > >   > 
 > >   > 1) in /boot/loader.conf:
 > >   > 
 > >   > ipfw_load="YES"
 > >   > ipdivert_load="YES"
 > >  
 > >  I thought from your earlier mail that you wanted to use in-kernel
 > >  NAT?
 > 
 > 	I want whatever works.  :-)

natd works, as ever.  ipfw nat is reputed to work faster.

 > 	Beyond that ... all other things being more-or-less equal I'll
 > do this with modules.
 > 	Let's build that.  So in /etc/sysctl.conf:
 > 
 > net.inet.ip.fw.default_to_accept="1"
 > net.inet.ip.fw.verbose="1"
 > net.inet.ip.fw.verbose_limit="100"
 > 
 > 	check.
 > 
 > >  I believe all these can be accomplished with modules on GENERIC
 > >  kernel, at least on 8.x, with the exception of FIREWALL_FORWARD
 > >  functionality which does require a custom kernel as it messes
 > >  with lots of ip paths.
 > 
 > 	This machine has a custom kernel, so that's not a an issue.
 > 	And in /boot/loader.conf:
 > 
 > ipfw_load="YES"
 > ipfw_nat="YES"	# in-kernel ipfw nat
 > libalias="YES"	# for in-kernel ipfw nat

ipfw_nat_load="YES"
libalias_load="YES"

 > 	check.
 > 	and in the kernel config:
 > 
 > #options  IPFIREWALL              #firewall
 > #options  IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
 > 
 > options  IPFIREWALL_FORWARD

Planning on using any 'fwd' rules?

 > #options  IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
 > #options  IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
 > #options  IPDIVERT
 > #options  IPFIREWALL_NAT          #ipfw kernel nat support
 > #options  LIBALIAS				# required for NAT
 > 
 > 	check.
 > 	This combination will get me a) ipfw, using the standard
 > rc.conf "firewall_" variables, and b) NAT ... do I still need to
 > have a "nat" setting in the firewall rules?

The 'client' ruleset now has rules for either natd or ipfw nat.  The 
'simple' ruleset works with natd (from natd_enable and natd_interface in 
rc.conf), but still lacks the patch for ipfw nat - my remiss for seeking 
comment in ipfw@ rather than sending it with a PR, as one should.

Time I redid it, you can be guinea pig :)  What freebsd version?

cheers, Ian

More information about the freebsd-questions mailing list