svn commit: r44081 - head/en_US.ISO8859-1/books/handbook/firewalls

Dru Lavigne dru at FreeBSD.org
Wed Feb 26 23:03:12 UTC 2014


Author: dru
Date: Wed Feb 26 23:03:12 2014
New Revision: 44081
URL: http://svnweb.freebsd.org/changeset/doc/44081

Log:
  Initial merge of IPFW NAT content.
  Tomorrow's commits will review the technical content.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Wed Feb 26 22:19:04 2014	(r44080)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Wed Feb 26 23:03:12 2014	(r44081)
@@ -1999,6 +1999,18 @@ options    IPDIVERT			# enables NAT</pro
 	  <replaceable>interface-name</replaceable> to specify
 	  the interface the packet is traveling over.</para>
 
+	<note>	  
+      <para>When first creating or testing a firewall ruleset,
+	consider temporarily setting this tunable:</para>
+
+      <programlisting>net.inet.ip.fw.default_to_accept="1"</programlisting>
+
+	<para>This sets the default policy of &man.ipfw.8; to
+	  be more permissive than the default <literal>deny ip from
+	    any to any</literal>, making it slightly more difficult
+	  to get locked out of the system right after a reboot.</para>
+      </note>
+
 	<para>The firewall script begins by indicating that it is a
 	  Bourne shell script and flushes any existing rules.  It then
 	  creates the <literal>cmd</literal> variable so that
@@ -2122,31 +2134,86 @@ pif="dc0"     # interface name of NIC at
       </sect2>
 
       <sect2 xml:id="network-natd">
+	<info>
 	<title>Configuring <acronym>NAT</acronym></title>
 
+	<authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Chern</firstname>
+	    <surname>Lee</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
+      </authorgroup>
+    </info>
 	<indexterm>
 	  <primary>NAT</primary>
 
 	  <secondary>and <application>IPFW</application></secondary>
 	</indexterm>
 
-	<para>There are some additional configuration statements that
-	  need to be enabled to activate the <acronym>NAT</acronym>
-	  function of <application>IPFW</application>.  For a
-	  customized kernel, the kernel configuration file needs
-	  <literal>option IPDIVERT</literal> added to the other
+	<para>&os;'s built-in
+	<acronym>NAT</acronym> daemon, &man.natd.8;, works in
+	conjunction with <application>IPFW</application> to provide
+	network address translation.  This can be used to provide an
+	Internet Connection Sharing solution so that
+	several internal computers can connect to the Internet using
+	<acronym>IP</acronym> address.</para>
+
+	<para>To do this, the &os; machine connected to the Internet
+	must act as a gateway.  This gateway machine must have two
+	<acronym>NIC</acronym>s: one connects to the Internet router
+	and the other connects to a <acronym>LAN</acronym>.  All the
+	machines on the <acronym>LAN</acronym> are connected through
+	a hub or switch.</para>
+
+	<para>Each machine and interface behind the
+	<acronym>LAN</acronym> should be assigned
+	<acronym>IP</acronym> addresses in the private network space,
+	as defined by <link
+	  xlink:href="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC
+	  1918</link>, and have a default gateway of the
+	&man.natd.8; machine's internal <acronym>IP</acronym>
+	address.</para>
+
+	<para>Some additional configuration is
+	  needed in order to activate the <acronym>NAT</acronym>
+	  function of <application>IPFW</application>.  If the system
+	  has a custom kernel, the kernel configuration file needs to
+	  include <literal>option IPDIVERT</literal> with the other
 	  <literal>IPFIREWALL</literal> options.</para>
 
-	<para>In addition to the normal
-	  <application>IPFW</application> options in
-	  <filename>/etc/rc.conf</filename>, the following are
-	  needed:</para>
-
-	<programlisting>natd_enable="YES"                   # Enable <acronym>NAT</acronym>D function
-natd_interface="rl0"                # interface name of public Internet NIC
+	<para>To enable firewall and <acronym>NAT</acronym> support at
+	  boot time, the following must be in
+	  <filename>/etc/rc.conf</filename>:</para>
+
+	<programlisting>gateway_enable="YES"	# enables the gateway function
+natd_enable="YES"                   # enables the <acronym>NAT</acronym> function
+natd_interface="rl0"                # specify interface name of NIC attached to Internet
 natd_flags="-dynamic -m"            # -m = preserve port numbers if possible</programlisting>
 
-	<para>Utilizing stateful rules with a <literal>divert
+      <note>
+	<para>It is also possible to use a configuration file for
+	  &man.natd.8; when there are too many options to pass.  In
+	  this case, the configuration file must be defined by adding
+	  the following line to
+	  <filename>/etc/rc.conf</filename>:</para>
+
+	<programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
+
+	<para>A list of configuration options, one per line, can be
+	  added to <filename>/etc/natd.conf</filename>.  For
+	  example:</para>
+
+	<programlisting>redirect_port tcp 192.168.0.2:6667 6667
+redirect_port tcp 192.168.0.3:80 80</programlisting>
+
+	<para>For more information about this configuration file,
+	  consult &man.natd.8;.</para>
+      </note>
+
+        <para>Utilizing stateful rules with a <literal>divert
 	    natd</literal> rule complicates the ruleset logic.  The
 	  positioning of the <literal>check-state</literal>, and
 	  <literal>divert natd</literal> rules in the ruleset is
@@ -2431,7 +2498,131 @@ pif="rl0"     # public interface name of
 # deny and log all packets that fell through to see what they are
 $cmd 999 deny log all from any to any
 ################ End of IPFW rules file ###############################</programlisting>
-      </sect2>     
+
+    <sect3>
+      <title>Port Redirection</title>
+
+      <para>The drawback with &man.natd.8; is that the
+	<acronym>LAN</acronym> clients are not accessible from the
+	Internet.  Clients on the <acronym>LAN</acronym> can make
+	outgoing connections to the world but cannot receive incoming
+	ones.  This presents a problem if trying to run Internet
+	services on one of the <acronym>LAN</acronym> client machines.
+	A simple way around this is to redirect selected Internet
+	ports on the &man.natd.8; machine to a <acronym>LAN</acronym>
+	client.</para>
+
+      <para>For example, an <acronym>IRC</acronym> server runs on
+	client <systemitem>A</systemitem> and a web server runs on
+	client <systemitem>B</systemitem>.  For this to work properly,
+	connections received on ports 6667 (<acronym>IRC</acronym>)
+	and 80 (<acronym>HTTP</acronym>) must be redirected to the
+	respective machines.</para>
+
+      <para>The syntax for <option>-redirect_port</option> is as
+	follows:</para>
+
+      <programlisting>     -redirect_port proto targetIP:targetPORT[-targetPORT]
+                 [aliasIP:]aliasPORT[-aliasPORT]
+                 [remoteIP[:remotePORT[-remotePORT]]]</programlisting>
+
+      <para>In the above example, the argument should be:</para>
+
+      <programlisting>    -redirect_port tcp 192.168.0.2:6667 6667
+    -redirect_port tcp 192.168.0.3:80 80</programlisting>
+
+      <para>This redirects the proper <acronym>TCP</acronym> ports
+	to the <acronym>LAN</acronym> client machines.</para>
+
+      <para>Port ranges over individual ports can be indicated with
+	<option>-redirect_port</option>.  For example,
+	<replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable>
+	would redirect all connections received on ports 2000 to 3000
+	to ports 2000 to 3000 on client
+	<systemitem>A</systemitem>.</para>
+
+      <para>These options can be used when directly running
+	&man.natd.8;, placed within the
+	<literal>natd_flags=""</literal> option in
+	<filename>/etc/rc.conf</filename>, or passed via a
+	configuration file.</para>
+
+      <para>For further configuration options, consult
+	&man.natd.8;</para>
+    </sect3>
+
+    <sect3>
+      <title>Address Redirection</title>
+
+      <indexterm>
+	<primary>address redirection</primary>
+      </indexterm>
+
+      <para>Address redirection is useful if more than one
+	<acronym>IP</acronym> address is available.  Each
+	<acronym>LAN</acronym> client can be assigned its own
+	external <acronym>IP</acronym> address by &man.natd.8;,
+	which will then rewrite outgoing packets from the
+	<acronym>LAN</acronym> clients with the proper external
+	<acronym>IP</acronym> address and redirects all traffic
+	incoming on that particular <acronym>IP</acronym> address
+	back to the specific <acronym>LAN</acronym> client.  This is
+	also known as static <acronym>NAT</acronym>.  For example,
+	if <acronym>IP</acronym> addresses <systemitem
+	  class="ipaddress">128.1.1.1</systemitem>, <systemitem
+	  class="ipaddress">128.1.1.2</systemitem>, and <systemitem
+	  class="ipaddress">128.1.1.3</systemitem> are available,
+	<systemitem class="ipaddress">128.1.1.1</systemitem> can be
+	used as the &man.natd.8; machine's external
+	<acronym>IP</acronym> address, while <systemitem
+	  class="ipaddress">128.1.1.2</systemitem> and <systemitem
+	  class="ipaddress">128.1.1.3</systemitem> are forwarded back
+	to <acronym>LAN</acronym> clients <systemitem>A</systemitem>
+	and <systemitem>B</systemitem>.</para>
+
+      <para>The <option>-redirect_address</option> syntax is as
+	follows:</para>
+
+      <programlisting>-redirect_address localIP publicIP</programlisting>
+
+
+      <informaltable frame="none" pgwide="1">
+	<tgroup cols="2">
+	  <tbody>
+	    <row>
+	      <entry>localIP</entry>
+	      <entry>The internal <acronym>IP</acronym> address of
+		the <acronym>LAN</acronym> client.</entry>
+	    </row>
+
+	    <row>
+	      <entry>publicIP</entry>
+	      <entry>The external <acronym>IP</acronym> address
+		corresponding to the <acronym>LAN</acronym>
+		client.</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </informaltable>
+
+      <para>In the example, this argument would read:</para>
+
+      <programlisting>-redirect_address 192.168.0.2 128.1.1.2
+-redirect_address 192.168.0.3 128.1.1.3</programlisting>
+
+      <para>Like <option>-redirect_port</option>, these arguments are
+	placed within the <literal>natd_flags=""</literal> option
+	of <filename>/etc/rc.conf</filename>, or passed via a
+	configuration file.  With address redirection, there is no
+	need for port redirection since all data received on a
+	particular <acronym>IP</acronym> address is redirected.</para>
+
+      <para>The external <acronym>IP</acronym> addresses on the
+	&man.natd.8; machine must be active and aliased to the
+	external interface.  Refer to &man.rc.conf.5; for
+	details.</para>
+    </sect3>
+</sect2>     
 
     <sect2 xml:id="firewalls-ipfw-cmd">
       <title>The <application>IPFW</application> Command</title>


More information about the svn-doc-all mailing list