Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 Jun 2009 22:56:58 -0400
From:      "Systems Engineering Group" <mailinglistmember@mgwigglesworth.net>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Any *Working* Examples of kernel-based (IPFW2-based) NAT onFreeBSD 7.1-STABLE?
Message-ID:  <1246244218.8710.237.camel@localhost>
References:  <20090626085530.GA2623@heitec.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I don't know why you are attempting to be so "eligant" which is a
smart-guy way of saying making something more complex by leaving out
certain things that are still relivant, but "messy" as an experienced
person would see it) if you are new to the methods.  

First, you need to make sure that natd is doing its job, by making sure
that you have natd turned on, and that it is using the correct
interface.

Second, when you have verified that the natd configuration is accurate,
and usable, the kernel needs to be verified to have the correct options,
and that the ipfw rules, setup.

You only need divert, and ipfirewall, with ipfirewall_verbose if you
want logging.

With these kernel options in place, you need to compile and install the
kernel correlative to these installed kernel options for the firewalling
functionality, with divertion to work.

Given these aspects of the system are installed, then you only need to
place a natd divert rule into the script for your ipfw-centric firewall.

An example would be to start natd with the following included in either
commandline options, or config file referenced at commandline call to
natd (natd -f /path/to/natd/config) 

at the commandline, or requisite init script: natd -i $divert_iface -d

This should start natd with the -i switch giving indication to natd what
device is used to be translated (from/to).

After verfication of initialization of the natd daemon via `sockstat |
grep natd` you should then test divert rules within your ipfw script, or
via dynamic rules that you sent at commandline.

The simplest way to test the operation of the divert rules is to do the
following.

ipfw add 100 pass log tcp from any to any in via $divert_iface

#The traffic coming into the external ip addresss will be "diverted" to
the internal network ip range.
ipfw add 200 divert natd ip from any to any in via $divert_iface

## 
#Rules 201-499 will be used to filter on the internal addresses after
being mangled by the kernel. 
#They will now look like they are going to #the internal address, not
the external ip address, so internal-ip-based 
#rules will be affective at this time.
##

#This rule will divert traffic going from the internal network to the
external network
ipfw add 500 divert natd ip from any to any out via $divert_iface

This is a very brief view of an example that works with freebsd.
I would stay away from the complex "elegant" solutions that you
referenced in your original post, on or about June 14th, until you
verify that your solution is working properly.

Check out the handbook, and the information on firewalling on onlamp.org
and the freebsd handbook.

I am just doing a datadump of my own experience right now, so if you
have any further questions, then just post them and we can take a look.

The setup is not very difficult, once you have the basics down.

I have about thirty rules in my script, but about 20 of them have to do
with filtering different stuff, which is merely skipto to a deletion
rule with logging.  

ipfw and natd are not very difficult to use, however, that simplicity is
also what makes it such a powerful network appliance solution.  I have
heard the ipnat + netfilter is supposedly more powerful solution,
because ipnat does certain things better than natd, however, that is
something for further exploration, and I have not had a need to do so,
as of yet.

I hope this assists your in your setup endeavor.

Respectfully,

Martes

-- 
Systems Engineering Group <mailinglistmember@mgwigglesworth.net>
M. G. Wigglesworth Holdings, LLC



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?1246244218.8710.237.camel>