From owner-freebsd-questions Wed May 22 16:12:47 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id 7ED2937B40D for ; Wed, 22 May 2002 16:12:40 -0700 (PDT) Received: from barbish ([63.70.155.79]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com for ; Wed, 22 May 2002 19:12:38 -0400 Reply-To: From: "Joe & Fhe Barbish" To: "FBSDQ" Subject: IPNAT frontend to IPFW Date: Wed, 22 May 2002 19:12:37 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am converting from dialup ISP access to cable ISP access. I have been using IPFW firewall with all advanced stateful keep-state rules for a over a year now, with user ppp -nat, so my ipfw firewall is not in question. Natd does not function correctly with keep-state rules so user ppp -nat is the work around for dialup configurations. Now in moving to cable ISP access I wanted to keep my IPFW advanced stateful keep-state rules firewall. The work around suggested, is to use IPNAT. My first try was to add the ipnat_enable="yes" to rc.conf and create the ipnat.rules file. Testing this configuration I was all ways out of sync because I had IPFW compiled into my kernel and rc.conf was loading the IPNAT module at boot time, resulting in IPFW getting control before IPNAT, but I was still able to ping the internet from the gateway/firewall server. I then compiled IPFILTER into the kernel and added the appropriate rc.conf, ipf.rules statements to enable ipfilter/ipnat. Now I can no longer ping the internet. The FAQ on ipfilter says that ipfilter and ipfw can be used at the same time. All I really want is ipnat as the front end to my original ipfw firewall. Questions. Is there any stand-a-lone nat solution I am unaware of besides ipfilter/ipnat and natd/divert? Is there some way to configure natd to run as a stand-a-lone front end divorced from the ipfw 'divert natd' launch command? Below are my conf files, please review. Any help is appreciated. Kernel firewall options option IPFILTER option IPFILTER_LOG option IPFILTER_DEFAULT_BLOCK option IPFIREWALL option IPFIREWALL_VERBOSE option IPFIREWALL_VERBOSE_LIMIT=2 rc.conf file gateway_enable="YES" hostname="gateway.user.com" ifconfig_xl0="inet 10.0.10.2 media 100baseTX mediaopt full-duplex" ifconfig_rl0="DHCP" # Activate IPFILTER IPNAT function ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ipmon_flags="-Dsvn" # IPFW kernel firewall support firewall_enable="YES" firewall_script="/etc/ipfw.rules" filewall_logging="YES" ipnat.rules file map rl0 10.0.10.0/32 -> 0.0.0.0/32 ipf.rules pass in all pass out all To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message