Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Nov 2002 13:38:13 +0100
From:      "Jonathan Clarke" <jonathan@phillipoux.net>
To:        <freebsd-questions@FreeBSD.ORG>
Subject:   Re: NAT and Firewall Configuration ?
Message-ID:  <002f01c2986d$595253a0$0601a8c0@bluesheeps>
References:  <5.1.0.14.2.20021130121540.013dbae8@192.96.48.11>

next in thread | previous in thread | raw e-mail | index | archive | help
> I am in the process of configuring NAT and a firewall on FreeBSD 4.7
> Stable. I have configured the external interface with 2 class C addresses
> 192.x.x.1 and 192.x.x.2. and the internal interface with  192.168.x.1 (
> gateway )
> I have also configured natd_flags="-redirect_address 192.168.x.3
192.x.x.2"
> which if I'm correct will redirect all traffic destined for 192.x.x.2 to
> 192.168.x.3 ?

That's right in the idea. To be finicky, I'd say that natd doesn't
*redirect* traffic, it just *rewrites* packet headers, so they can be
redirected.

> My question is have I done everything correct so far and what rule would I
> use for my firewall so that natd will work the way I want it ?

You need to add the following rule as the first rule in your firewall (or
pretty much so):
    add 00100 divert natd ip from any to any via rl0
(considering rl0 is the interface connected to the exterior)

This passes all packets coming in or going out through rl0 to natd, who will
decide whether they need aliasing or not, and do so. It then passes them
back into the firewall list, and the following rule number. See man ipfw.


> <SNIP firewall rules>
>
> My rc.conf is as follows:
> <SNIP>
> ifconfig_rl0="inet 192.x.x.1 netmask 255.255.255.0"
> ifconfig_rl0_alias0="inet 192.x.x.2 netmask 255.255.255.255"
> ifconfig_rl1="inet 192.168.x.1 netmask 255.255.255.0"
> <SNIP>
> natd_enable="YES"
> natd_interface="rl0"
> natd_flags="-redirect_address 192.168.x.3 192.x.x.x2"
> <SNIP>

The line 'natd_interface="rl0"' tells natd to do it's aliasing to and from
the IP address used by rl0. This may or may not be what you want, since you
have two IPs on this interface.

I expect that natd gets the primary IP for the interface rather than the
alias. In this case your setup would send all traffic for 192.x.x.2 to
192.168.x.3 and "share" the connection to all other hosts on the 192.168.x.x
network via 192.x.x.1.

> ## Required for ipfw support
> firewall_enable="YES"
> #firewall_script="/etc/rc.firewall"
> #firewall_type="OPEN"
> firewall_type="/etc/ipfw.rules"
> firewall_quiet="YES"
> firewall_logging_enable="YES"

Er, I know this isn't your question, but shouldn't
'firewall_type="/etc/ipfw.rules"' be 'firewall_script="/etc/ipfw.rules"'?

> <SNIP kernel options>

Look good to me.

Hope this helps,
Jonathan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002f01c2986d$595253a0$0601a8c0>