Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 9 Apr 2010 08:34:45 -0400
From:      Robert Huff <roberthuff@rcn.com>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        Adam Vande More <amvandemore@gmail.com>, Robert Huff <roberthuff@rcn.com>, freebsd-questions@freebsd.org
Subject:   Re: Kernel Config for NAT
Message-ID:  <19391.7909.888110.689450@jerusalem.litteratus.org>
In-Reply-To: <20100409160704.K52200@sola.nimnet.asn.au>
References:  <20100408234803.7519B1065770@hub.freebsd.org> <20100409160704.K52200@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 

Ian Smith writes:

>   > 	So ... double-checking I'm doing this right:
>   > 
>   > 1) in /boot/loader.conf:
>   > 
>   > ipfw_load="YES"
>   > ipdivert_load="YES"
>  
>  I thought from your earlier mail that you wanted to use in-kernel
>  NAT?

	I want whatever works.  :-)
	Beyond that ... all other things being more-or-less equal I'll
do this with modules.
	Let's build that.  So in /etc/sysctl.conf:

net.inet.ip.fw.default_to_accept="1"
net.inet.ip.fw.verbose="1"
net.inet.ip.fw.verbose_limit="100"

	check.

>  I believe all these can be accomplished with modules on GENERIC
>  kernel, at least on 8.x, with the exception of FIREWALL_FORWARD
>  functionality which does require a custom kernel as it messes
>  with lots of ip paths.

	This machine has a custom kernel, so that's not a an issue.
	And in /boot/loader.conf:

ipfw_load="YES"
ipfw_nat="YES"	# in-kernel ipfw nat
libalias="YES"	# for in-kernel ipfw nat

	check.
	and in the kernel config:

#options  IPFIREWALL              #firewall
#options  IPFIREWALL_VERBOSE      #enable logging to syslogd(8)

options  IPFIREWALL_FORWARD

#options  IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
#options  IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
#options  IPDIVERT
#options  IPFIREWALL_NAT          #ipfw kernel nat support
#options  LIBALIAS				# required for NAT

	check.
	This combination will get me a) ipfw, using the standard
rc.conf "firewall_" variables, and b) NAT ... do I still need to
have a "nat" setting in the firewall rules?

	Less confused than last time,


				Robert Huff

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19391.7909.888110.689450>