Date: Wed, 22 May 2002 19:12:37 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "FBSDQ" <questions@FreeBSD.ORG> Subject: IPNAT frontend to IPFW Message-ID: <MIEPLLIBMLEEABPDBIEGMEPCCAAA.barbish@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
I am converting from dialup ISP access to cable ISP access. I have been using IPFW firewall with all advanced stateful keep-state rules for a over a year now, with user ppp -nat, so my ipfw firewall is not in question. Natd does not function correctly with keep-state rules so user ppp -nat is the work around for dialup configurations. Now in moving to cable ISP access I wanted to keep my IPFW advanced stateful keep-state rules firewall. The work around suggested, is to use IPNAT. My first try was to add the ipnat_enable="yes" to rc.conf and create the ipnat.rules file. Testing this configuration I was all ways out of sync because I had IPFW compiled into my kernel and rc.conf was loading the IPNAT module at boot time, resulting in IPFW getting control before IPNAT, but I was still able to ping the internet from the gateway/firewall server. I then compiled IPFILTER into the kernel and added the appropriate rc.conf, ipf.rules statements to enable ipfilter/ipnat. Now I can no longer ping the internet. The FAQ on ipfilter says that ipfilter and ipfw can be used at the same time. All I really want is ipnat as the front end to my original ipfw firewall. Questions. Is there any stand-a-lone nat solution I am unaware of besides ipfilter/ipnat and natd/divert? Is there some way to configure natd to run as a stand-a-lone front end divorced from the ipfw 'divert natd' launch command? Below are my conf files, please review. Any help is appreciated. Kernel firewall options option IPFILTER option IPFILTER_LOG option IPFILTER_DEFAULT_BLOCK option IPFIREWALL option IPFIREWALL_VERBOSE option IPFIREWALL_VERBOSE_LIMIT=2 rc.conf file gateway_enable="YES" hostname="gateway.user.com" ifconfig_xl0="inet 10.0.10.2 media 100baseTX mediaopt full-duplex" ifconfig_rl0="DHCP" # Activate IPFILTER IPNAT function ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ipmon_flags="-Dsvn" # IPFW kernel firewall support firewall_enable="YES" firewall_script="/etc/ipfw.rules" filewall_logging="YES" ipnat.rules file map rl0 10.0.10.0/32 -> 0.0.0.0/32 ipf.rules pass in all pass out all To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMEPCCAAA.barbish>