Date: Sat, 10 Apr 2010 01:07:32 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Robert Huff <roberthuff@rcn.com> Cc: Adam Vande More <amvandemore@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Kernel Config for NAT Message-ID: <20100409233244.F52200@sola.nimnet.asn.au> In-Reply-To: <19391.7909.888110.689450@jerusalem.litteratus.org> References: <20100408234803.7519B1065770@hub.freebsd.org> <20100409160704.K52200@sola.nimnet.asn.au> <19391.7909.888110.689450@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 9 Apr 2010, Robert Huff wrote: > Ian Smith writes: > > > > So ... double-checking I'm doing this right: > > > > > > 1) in /boot/loader.conf: > > > > > > ipfw_load="YES" > > > ipdivert_load="YES" > > > > I thought from your earlier mail that you wanted to use in-kernel > > NAT? > > I want whatever works. :-) natd works, as ever. ipfw nat is reputed to work faster. > Beyond that ... all other things being more-or-less equal I'll > do this with modules. > Let's build that. So in /etc/sysctl.conf: > > net.inet.ip.fw.default_to_accept="1" > net.inet.ip.fw.verbose="1" > net.inet.ip.fw.verbose_limit="100" > > check. > > > I believe all these can be accomplished with modules on GENERIC > > kernel, at least on 8.x, with the exception of FIREWALL_FORWARD > > functionality which does require a custom kernel as it messes > > with lots of ip paths. > > This machine has a custom kernel, so that's not a an issue. > And in /boot/loader.conf: > > ipfw_load="YES" > ipfw_nat="YES" # in-kernel ipfw nat > libalias="YES" # for in-kernel ipfw nat ipfw_nat_load="YES" libalias_load="YES" > check. > and in the kernel config: > > #options IPFIREWALL #firewall > #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) > > options IPFIREWALL_FORWARD Planning on using any 'fwd' rules? > #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > #options IPDIVERT > #options IPFIREWALL_NAT #ipfw kernel nat support > #options LIBALIAS # required for NAT > > check. > This combination will get me a) ipfw, using the standard > rc.conf "firewall_" variables, and b) NAT ... do I still need to > have a "nat" setting in the firewall rules? The 'client' ruleset now has rules for either natd or ipfw nat. The 'simple' ruleset works with natd (from natd_enable and natd_interface in rc.conf), but still lacks the patch for ipfw nat - my remiss for seeking comment in ipfw@ rather than sending it with a PR, as one should. Time I redid it, you can be guinea pig :) What freebsd version? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100409233244.F52200>