From owner-freebsd-questions@FreeBSD.ORG Fri Apr 9 09:51:44 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD8A4106566B for ; Fri, 9 Apr 2010 09:51:44 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 1B8E38FC19 for ; Fri, 9 Apr 2010 09:51:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o399pfjt091719; Fri, 9 Apr 2010 19:51:42 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 9 Apr 2010 19:51:41 +1000 (EST) From: Ian Smith To: Robert Huff In-Reply-To: <20100408234803.7519B1065770@hub.freebsd.org> Message-ID: <20100409160704.K52200@sola.nimnet.asn.au> References: <20100408234803.7519B1065770@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Adam Vande More , freebsd-questions@freebsd.org Subject: Re: Kernel Config for NAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 09:51:44 -0000 In freebsd-questions Digest, Vol 305, Issue 9, Message: 1 On Thu, 8 Apr 2010 08:10:34 -0400 Robert Huff wrote: > Adam Vande More writes: > > > > If compiled into the kernel, there's a set of optional settings > > > (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there. > > > If using the module, how does one set these? > > > > > Logging is compiled into the modules and there are a few sysctl's. AFAIK, > > everything else is the same. There are _lots_ of sysctls, even more recently with SCTP support. > > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html This is absolutely the worst section of an otherwise great handbook. Apart from being way out of date it contains gratuitous deprecation, inaccuracies and a large number of plain untruths, was largely written by someone who doesn't use (or like) ipfw, and has examples styled to duplicate an IPFILTER setup. Nothing short of a rewrite from scratch could fix it, despite efforts by several people to clarify aspects; only quite recently the invalid 'ipfw block' command was removed from it. ipfw(8) is a complete (albeit very terse) ipfw reference and I thoroughly recommend studying that instead. Despite what the handbook section says, the sample rules eg the 'simple' ruleset in rc.firewall ARE these days suitable for immediate use using rc.conf variables, DO include NAT functionality (either with natd or ipfw nat) in the _correct_ place in the ruleset, and DO include some stateful rules; that and ipfw(8) are certainly a better place to start than the dreadful examples afflicting the handbook since some years. > So ... double-checking I'm doing this right: > > 1) in /boot/loader.conf: > > ipfw_load="YES" > ipdivert_load="YES" I thought from your earlier mail that you wanted to use in-kernel NAT? If so, rather than divert sockets (using ipfw's divert action) you want: ipfw_nat_load=YES libalias_load=YES > 2) in the kernel config: > > #options IPFIREWALL #firewall > #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) > #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > #options IPDIVERT > #options IPFIREWALL_NAT #ipfw kernel nat support > options LIBALIAS # required for NAT I believe all these can be accomplished with modules on GENERIC kernel, at least on 8.x, with the exception of FIREWALL_FORWARD functionality which does require a custom kernel as it messes with lots of ip paths. If you want to use natd(8) then you'll need ipdivert.ko (as you have above), but if you want to use in-kernel NAT (not yet mentioned in the handbook sections for ipfw or natd, though there since 7.0) then you'll want IPFIREWALL_NAT and LIBALIAS in kernel, or loaded as modules: ipfw.ko ipfw_nat.ko # in-kernel ipfw nat libalias.ko # for in-kernel ipfw nat dummynet.ko # if wanted ipdivert.ko # (or) for natd Basically, natd uses userland libaliasand ipdivert but in-kernel NAT needs in-kernel libalias. The syntax of nat commands is virtually identical for natd.conf and ipfw nat commands, see ipfw(8) & natd(8) > 3) in /etc/sysctl.conf: > > net.inet.ip.fw.default_to_accept="1" Interestingly, that one hasn't yet made it into ipfw(8) .. your choice, or you can use firewall_type="open" for rc.firewall without that, until you've got your ruleset in action (when default to deny is advisable) > net.inet.ip.fw.verbose="1" > net.inet.ip.fw.verbose_limit="100" > > > That cover it? Should do .. with the abovementioned exception, take ipfw(8) as being definitive, ignore the misleading and often just plain wrong handbook section, and prosper .. cheers, Ian