Date: Sun, 14 Jun 2009 17:16:30 +0200 From: Holger Rauch <holger.rauch@empic.de> To: freebsd-ipfw@freebsd.org Subject: Questions on "Hide NAT" and 1:1 NAT Scenarios Using IPFW2 insteadof natd Message-ID: <20090614151630.GA27009@heitec.de>
next in thread | raw e-mail | index | archive | help
--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi to everybody,
up to now, I've only seen a working example for "hide NAT" (hiding several =
IP
addresses belonging to an internal private subnet "behind" an official, ext=
ernally
accessible IP) based on user space natd from one of my former colleagues.
That means I'm new to kernel (IPFW) based NAT and thus asking for help on t=
his mailing
list since the NAT fragments mentioned below don't work for me as expected =
(i.e.
I see no IPFW log message and no NAT takes place).
I'm referring to a FreeBSD 7.1-STABLE amd64 system with the following kerne=
l options
compiled in (default policy is deny). The machine acts as a gateway (IP for=
warding enabled;
no sysctls for layer2 enabled) and has six network interfaces in total=20
(bge0, bge1, em0-3). Two different forms of NAT should take place depending=
on whether
the packets flow between network interfaces bge0<->bge1 (hide NAT) and bge0=
<->em1
(1:1 NAT for a certain set of hosts). For the remaining interface combinati=
ons
bge0<->em0,em2,em3 no NAT should be performed since they are used to gain a=
ccess to
other internal subnets represented by private IP addresses. The combinations
bge1<->em[0-3] are not permitted (blocked/logged by corresponding IPFW rule=
s):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity
options IPFIREWALL_FORWARD #packet destination changes
options IPFIREWALL_NAT #ipfw kernel nat support
options IPDIVERT #divert sockets
options DUMMYNET
options IPSTEALTH #support for stealth forwarding
options LIBALIAS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
So, at least I shouldn't be missing any relevant kernel options, right?=20
The following NAT rule fragments were taken from a larger firewall
#! /bin/sh script, which is structured in the following manner:
a) General logging/filtering rules for bogus packets (unsupported private
IP addresses, broadcasts, illegal inner<->outer network interface
combinations, etc.)
number range logging rules: 1000-1499
number range filtering rules: 1500-1999
b) filtering/logging rules with no NAT (bge0<->em0,em2,em3)
number range logging rules: 2000-2499
number range filtering rules: 2500-2999
c) 1:1 NAT fragment (see below)
fixed rule number: 3000
d) filtering/logging rules to individual hosts for which 1:1 NAT is
supposed to be performed
number range logging rules: 3001-3499
number range filtering rules: 3500-3999
e) hide NAT fragment (see below)
fixed rule number: 4000
f) filtering/logging rules to individual hosts for which hide NAT is
supposed to be performed
number range logging rules: 4001-4499
number range filtering rules: 4500-4999
OK, here the NAT fragments (inferred from the ipfw man page since I
couldn't find a better resource; unfortunately, neither the IPFW
HOWTO nor the IPFW advanced supplement HOWTO is of help here):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# 1:1 NAT (intaddr1...intaddr5 <-> extaddr1...extaddr5)
${fwcmd} add 3000 nat 1 all from any to any via em1
${fwcmd} nat 1 config redirect_addr intaddr1 extaddr1 \
redirect_addr intaddr2 extaddr2 \
redirect_addr intaddr3 extaddr3 \
redirect_addr intaddr4 extaddr4 \
redirect_addr intaddr5 extaddr5
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Would the following alternative approach achieve the same (seems slightly
more elegant to me)?
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
int_nat_hosts=3D"\{ intaddr1,intaddr2,intaddr3,intaddr4,intaddr5 \}"
ext_nat_hosts=3D"\{ extaddr1,extaddr2,extaddr3,extaddr4,extaddr5 \}"
${fwcmd} nat 1 config redirect_addr ${int_nat_hosts} ${ext_nat_hosts}
# hide NAT (10.51.0.0/16 -> one externally accessible IP address aa.bb.cc.d=
d)
${fwcmd} nat 2 config ip aa.bb.cc.dd log deny_in reset same_ports
${fwcmd} add 4000 nat 2 all from any to any via bge1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
General questions on both NAT scenarios:
- How to debug IPFW-based NAT in general?
- Is it OK to use "from any to any" in the ...add nat... rules above or wou=
ld you
recommend specifying the address ranges explictly?
- Would using "skipto" rules be a good alternative here?
In case you need additional info, please don't hesitate to ask.
Thanks in advance for any help!
Kind regards,
Holger
--qMm9M+Fa2AknHoGS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko1FE4ACgkQbiVtWpZdKQIZGwCfdDqhjuuCfb3zOXnlpP8DTroD
iRMAn2k+llk+GAhLkvMK7j/D+ik5dnp1
=J3E4
-----END PGP SIGNATURE-----
--qMm9M+Fa2AknHoGS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090614151630.GA27009>