Date: Fri, 9 Apr 2010 08:34:45 -0400 From: Robert Huff <roberthuff@rcn.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Adam Vande More <amvandemore@gmail.com>, Robert Huff <roberthuff@rcn.com>, freebsd-questions@freebsd.org Subject: Re: Kernel Config for NAT Message-ID: <19391.7909.888110.689450@jerusalem.litteratus.org> In-Reply-To: <20100409160704.K52200@sola.nimnet.asn.au> References: <20100408234803.7519B1065770@hub.freebsd.org> <20100409160704.K52200@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith writes: > > So ... double-checking I'm doing this right: > > > > 1) in /boot/loader.conf: > > > > ipfw_load="YES" > > ipdivert_load="YES" > > I thought from your earlier mail that you wanted to use in-kernel > NAT? I want whatever works. :-) Beyond that ... all other things being more-or-less equal I'll do this with modules. Let's build that. So in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept="1" net.inet.ip.fw.verbose="1" net.inet.ip.fw.verbose_limit="100" check. > I believe all these can be accomplished with modules on GENERIC > kernel, at least on 8.x, with the exception of FIREWALL_FORWARD > functionality which does require a custom kernel as it messes > with lots of ip paths. This machine has a custom kernel, so that's not a an issue. And in /boot/loader.conf: ipfw_load="YES" ipfw_nat="YES" # in-kernel ipfw nat libalias="YES" # for in-kernel ipfw nat check. and in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support #options LIBALIAS # required for NAT check. This combination will get me a) ipfw, using the standard rc.conf "firewall_" variables, and b) NAT ... do I still need to have a "nat" setting in the firewall rules? Less confused than last time, Robert Huff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19391.7909.888110.689450>