[6.x patchset] Ipfw nat and libalias modules
Patrick Tracanelli
eksffa at freebsdbrasil.com.br
Sat May 6 19:17:18 UTC 2006
> Now, I think that we have to make some ipfw example code for NAT
> in-kernel with and without keep-state/chack-state .
> I start in monday with stateful ipfw.
>
> Thanks for help me!!!
> (Now I have FreeBSD 6.1)
>
I haven't tried with keep-state yes (dont even know if keep-state is
ready to maintain "nat" state, I think it is not). The box which is
taking me to internet right now at my building is ipfw nat, for wired
and wireless networks. Here are the running rules:
(eksffa at hs)~# ipfw show | grep nat
20000 19812654 104938057 nat 20 ip from { 10.69.69.0/24 or
172.16.69.0/24 } to any out via sis0
20100 27128929 37927915720 nat 20 ip from any to any in via sis0
(eksffa at hs)~# ipfw nat 20 show config
ipfw nat 20 config if sis0 log unreg_only redir_port tcp
10.69.69.13:4662 4662 redir_port tcp 10.69.69.39:80 3980 redir_port tcp
10.69.69.39:6969 3969
(eksffa at hs)~# grep nat /etc/rc.firewall
$fwcmd nat 20 config if sis0 log unreg_only redir_port tcp
10.69.69.13:4662 4662 redir_port tcp 10.69.69.39:80 3980 redir_port tcp
10.69.69.39:6969 3969
$fwcmd add 20000 set 20 nat 20 all from $redes to any out via $ife
$fwcmd add 20100 set 20 nat 20 all from any to any in via $ife
I have some more enviroments running NAT in in different IPs with
"prob", for testing purposes. I can print configs next week, since I
cant access those boxes on weekends.
I hope it helps as example, I have just rewriten selective "divert"
which I used before into "nat" rules.
BTW (offside note): Next week I will add a TinyBSD image with ipfw nat
(FreeBSD 6.1) on www.tinybsd.org, so if anyone want to try ipfw nat in
their soekris/wrap/whatever boards, hang on untill wednesday.
--
Patrick Tracanelli
More information about the freebsd-ipfw
mailing list