From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 5 11:07:10 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56B461065674 for ; Mon, 5 Mar 2012 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 450988FC25 for ; Mon, 5 Mar 2012 11:07:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q25B7AYT034901 for ; Mon, 5 Mar 2012 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q25B791h034893 for freebsd-ipfw@FreeBSD.org; Mon, 5 Mar 2012 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Mar 2012 11:07:09 GMT Message-Id: <201203051107.q25B791h034893@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2012 11:07:10 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/164690 ipfw [ipfw] Request for ipv6 support in ipfw tables f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 43 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 9 15:02:34 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5A1F7106566B for ; Fri, 9 Mar 2012 15:02:34 +0000 (UTC) (envelope-from rocky@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 087FE8FC13 for ; Fri, 9 Mar 2012 15:02:33 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 9E1E55C2D for ; Sat, 10 Mar 2012 00:58:06 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id 716325C2B for ; Sat, 10 Mar 2012 00:58:06 +1000 (EST) Message-ID: <4F5A161C.8060407@herveybayaustralia.com.au> Date: Sat, 10 Mar 2012 00:39:24 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2012 15:02:34 -0000 I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I believe) was using 4.3. I'm now attempting to use IPFW for some tests (and hopefully move to production), and I'm trying to determine how I would setup binat using IPFW; or even if its possible at all. I've been hunting some more in depth documentation, but it appears to be scarce/not definitive. I suspect using the modes in libalias such as "use same ports" and "reverse" might be able to do what I'm looking for? Any clarity much appreciated. From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 10 10:20:45 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79F03106564A for ; Sat, 10 Mar 2012 10:20:45 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4E9E88FC17 for ; Sat, 10 Mar 2012 10:20:45 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q2A9luQO064292 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 10 Mar 2012 01:47:57 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4F5B2348.2080405@freebsd.org> Date: Sat, 10 Mar 2012 01:47:52 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F5A161C.8060407@herveybayaustralia.com.au> In-Reply-To: <4F5A161C.8060407@herveybayaustralia.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Da Rock Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 10:20:45 -0000 On 3/9/12 6:39 AM, Da Rock wrote: > I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I > believe) was using 4.3. I'm now attempting to use IPFW for some > tests (and hopefully move to production), and I'm trying to > determine how I would setup binat using IPFW; or even if its > possible at all. > > I've been hunting some more in depth documentation, but it appears > to be scarce/not definitive. I suspect using the modes in libalias > such as "use same ports" and "reverse" might be able to do what I'm > looking for? > > Any clarity much appreciated. well of course man ipfw is the basis.. since you don't give any hints as to what you want to do that is not in /etc/rc.firewall, it is hard to know how to help you.. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 10 13:28:23 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DACF41065673 for ; Sat, 10 Mar 2012 13:28:23 +0000 (UTC) (envelope-from freebsd-ipfw@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 82E678FC1B for ; Sat, 10 Mar 2012 13:28:23 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 546B45C28 for ; Sat, 10 Mar 2012 23:23:58 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id B80455C22 for ; Sat, 10 Mar 2012 23:23:57 +1000 (EST) Message-ID: <4F5B5187.2010303@herveybayaustralia.com.au> Date: Sat, 10 Mar 2012 23:05:11 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> In-Reply-To: <4F5B2348.2080405@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 13:28:23 -0000 On 03/10/12 19:47, Julian Elischer wrote: > On 3/9/12 6:39 AM, Da Rock wrote: >> I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I >> believe) was using 4.3. I'm now attempting to use IPFW for some tests >> (and hopefully move to production), and I'm trying to determine how I >> would setup binat using IPFW; or even if its possible at all. >> >> I've been hunting some more in depth documentation, but it appears to >> be scarce/not definitive. I suspect using the modes in libalias such >> as "use same ports" and "reverse" might be able to do what I'm >> looking for? >> >> Any clarity much appreciated. > > well of course > man ipfw is the basis.. > > since you don't give any hints as to what you want to do that is not > in /etc/rc.firewall, > it is hard to know how to help you.. I think that is the fundamental problem: I defined what I was doing but the terms are foreign, ergo the man doesn't show it either. Binat is defined in pf, so I used the terminology thinking it would just click. Apparently not :) Binat is 1:1 natting to and from a client behind a firewall (according to pf), so binat nats traffic from the client and from the external network. For all intents and purposes it appears the client is actually on the external network, with the added benefit that only the ports needed can be natted, and others can be diverted elsewhere. I'm using it for voip currently (and vpn on the same client): voip requires 5060 remote _and_ connection ports, and needs to be forwarded as is (excepting ip address) and not appear to be natted os as not to confuse the client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). Are there any sources for documentation on the advanced uses of ipfw? I stumbled on just one that goes into more detail so far http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 10 15:02:16 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53BD21065672 for ; Sat, 10 Mar 2012 15:02:16 +0000 (UTC) (envelope-from terrence@mediamonks.net) Received: from mail.mediamonks.net (mail.mediamonks.net [217.195.117.200]) by mx1.freebsd.org (Postfix) with ESMTP id C778B8FC12 for ; Sat, 10 Mar 2012 15:02:15 +0000 (UTC) X-CGP-Sophos: Scanned and found clean X-Abuse-Info: Send abuse reports about this email to abuse@mediamonks.net Received: from [46.44.172.93] (account terrence@mediamonks.com) by mail.mediamonks.net (CommuniGate Pro IMAP 5.4.2) with XMIT id 8501772; Sat, 10 Mar 2012 16:02:14 +0100 Date: Sat, 10 Mar 2012 16:02:13 +0100 Organization: MediaMonks B.V. Message-Id: In-Reply-To: <4F5B5187.2010303@herveybayaustralia.com.au> Thread-Topic: newbie IPFW user Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: Acz+zsYadx33AfXNQpyjA7+OUf1sXQ== From: "Terrence Koeman" To: "freebsd-ipfw@freebsd.org" X-MAPI-Message-Class: IPM.Note.SMIME.MultipartSigned X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.6/1.54.0.6 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0023_01CCFED7.28039950" Cc: "freebsd-ipfw@herveybayaustralia.com.au" Subject: RE: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 15:02:16 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0023_01CCFED7.28039950 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Sat, 10 Mar 2012 at 14:05:11, Da Rock wrote: > On 03/10/12 19:47, Julian Elischer wrote: >> On 3/9/12 6:39 AM, Da Rock wrote: >>> I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I >>> believe) was using 4.3. I'm now attempting to use IPFW for some tests >>> (and hopefully move to production), and I'm trying to determine how I >>> would setup binat using IPFW; or even if its possible at all. >>> >>> I've been hunting some more in depth documentation, but it appears to >>> be scarce/not definitive. I suspect using the modes in libalias such >>> as "use same ports" and "reverse" might be able to do what I'm looking >>> for? >>> >>> Any clarity much appreciated. >> >> well of course >> man ipfw is the basis.. >> >> since you don't give any hints as to what you want to do that is not >> in /etc/rc.firewall, >> it is hard to know how to help you.. > I think that is the fundamental problem: I defined what I was doing but > the terms are foreign, ergo the man doesn't show it either. > > Binat is defined in pf, so I used the terminology thinking it would just > click. Apparently not :) Binat is 1:1 natting to and from a client > behind a firewall (according to pf), so binat nats traffic from the > client and from the external network. For all intents and purposes it > appears the client is actually on the external network, with the added > benefit that only the ports needed can be natted, and others can be > diverted elsewhere. > > I'm using it for voip currently (and vpn on the same client): voip > requires 5060 remote _and_ connection ports, and needs to be forwarded > as is (excepting ip address) and not appear to be natted os as not to > confuse the client. VPN uses 500/4500 and requires an untouched packet > payload (ipsec). > > Are there any sources for documentation on the advanced uses of ipfw? I > stumbled on just one that goes into more detail so far > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. You are describing static NAT I believe. I use: $cmd nat 10 config ip same_ports \ redirect_addr 172.16.10.101 \ redirect_addr 172.16.0.75 Also look at redirect_port. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. ------=_NextPart_000_0023_01CCFED7.28039950 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIAjCCA8ow ggKyoAMCAQICEEUuM5TRXSsqy2M6PXNSZ3kwDQYJKoZIhvcNAQEFBQAwgYIxCzAJBgNVBAYTAlVT MR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5 IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTExMDcxNjE0MDEyOVoXDTEyMDcxNjE1MTY1N1owdzEgMB4GA1UEAxQXdGVycmVuY2VA bWVkaWFtb25rcy5uZXQxDjAMBgNVBAgTBXNtaW1lMQswCQYDVQQGEwJVUzEmMCQGCSqGSIb3DQEJ ARYXdGVycmVuY2VAbWVkaWFtb25rcy5uZXQxDjAMBgNVBAoTBXNtaW1lMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQChRrpOuDewU94nfT8orYLjRRWCXIpT5sBcc2/xSaI00SPo6HK/G33JNyFS 1yZT/oiCZvF9EsD9cF14+ymWpoZ+14BSHJ9SD5rldKRQ7ETHEifLnM64oCp8Mh8HjzO/AvycbONu hC/iS380VIZqddDZych9+IMtNRMO4nSBFMQ35QIDAQABo4HJMIHGMAkGA1UdEwQCMAAwHQYDVR0O BBYEFDWoOhnIHkcHhg0ftxrYRqHL7x0xMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD BDA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnNlY3VyZXRydXN0LmNvbS9YR0NBLmNybDBC BgNVHSAEOzA5MDcGCmCGSAGG/WQCAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3NzbC50cnVzdHdh dmUuY29tL0NBMA0GCSqGSIb3DQEBBQUAA4IBAQCM74qzG599TkL+P5DKV9+ZnN1QzKEXSV4DEC+m dRgBfPLKFZ3eyJoqVyfZIZswXMtvR4lZB7wGG9QDn+AZDjdJqJ84DNMma+MiifSP2unYI7pqV/5/ 972/C8pvjLbiNSsMWmNMJKKfMAIEU+nLiNGfqlOj1Pz5WEz5ljgLRmivLWDAv3w/vcc9mCxTXbR1 TPhSA8UrNhlQLwy9L5dl408ILyVT4VblPbT/6TQn9pRlqtAiwkORnpadC4cH0uwK+NGnN9yarSJC 9SHPRujqNvMX61ojgXEOGhY1lyL7z2S4Jc6912Ezb9TbCT8MYlZ2ILKDwt+cpjhhONtWt35w7jDr MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc /Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz 8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbwxggOxMIID rQIBATCBlzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9i YWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwCQYFKw4DAhoFAKCC Am8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwMzEwMTUwMjEy WjAjBgkqhkiG9w0BCQQxFgQUw/cXsqRhOmxgquMHVzk3s9V37TEwgagGCSsGAQQBgjcQBDGBmjCB lzCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UE ChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkCEEUuM5TRXSsqy2M6PXNSZ3kwgaoGCyqGSIb3DQEJEAILMYGa oIGXMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYD VQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIQRS4zlNFdKyrLYzo9c1JneTCBtwYJKoZIhvcNAQkPMYGp MIGmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4G CCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUr DgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTAN BgkqhkiG9w0BAQEFAASBgA1F3NzV5BdP8RrkkSfQAijMnLpzrThByJckn4IMBy9YcOklU/wH7v0C 3MonnE4escsCaeSxzvUUg9nKUAQUaACNiahQeeC+DpDcuTn4gKUlo8fQNqg09eYfwfpUUvLNasW7 4tfUw5rmebq498gKaP/9Ts/8UC0AWOhrgmStZvRqAAAAAAAA ------=_NextPart_000_0023_01CCFED7.28039950-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 10 16:29:21 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B9E8106564A; Sat, 10 Mar 2012 16:29:21 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 8774A8FC14; Sat, 10 Mar 2012 16:29:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q2AGSD6d046099; Sun, 11 Mar 2012 03:28:13 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 11 Mar 2012 03:28:13 +1100 (EST) From: Ian Smith To: Da Rock In-Reply-To: <4F5B5187.2010303@herveybayaustralia.com.au> Message-ID: <20120311020742.G10482@sola.nimnet.asn.au> References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> <4F5B5187.2010303@herveybayaustralia.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, Julian Elischer Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 16:29:21 -0000 On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote: > On 03/10/12 19:47, Julian Elischer wrote: > > On 3/9/12 6:39 AM, Da Rock wrote: > > > I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I > > > believe) was using 4.3. I'm now attempting to use IPFW for some tests > > > (and hopefully move to production), and I'm trying to determine how I > > > would setup binat using IPFW; or even if its possible at all. > > > > > > I've been hunting some more in depth documentation, but it appears to be > > > scarce/not definitive. I suspect using the modes in libalias such as "use > > > same ports" and "reverse" might be able to do what I'm looking for? > > > > > > Any clarity much appreciated. > > > > well of course > > man ipfw is the basis.. Apart from libalias(3) I found natd(8) manual still useful to flesh out the rather terse NAT descriptions in ipfw(8); functions are mostly 1:1 apart from more verbose (and better described) keywords than ipfw nat. > > since you don't give any hints as to what you want to do that is not in > > /etc/rc.firewall, > > it is hard to know how to help you.. > I think that is the fundamental problem: I defined what I was doing but the > terms are foreign, ergo the man doesn't show it either. Just googling 'binat freebsd' finds only (quite a few) references to pf, and then only pf.conf(5) seems really to describe its usage. > Binat is defined in pf, so I used the terminology thinking it would just > click. Apparently not :) Binat is 1:1 natting to and from a client behind a > firewall (according to pf), so binat nats traffic from the client and from > the external network. For all intents and purposes it appears the client is > actually on the external network, with the added benefit that only the ports > needed can be natted, and others can be diverted elsewhere. > > I'm using it for voip currently (and vpn on the same client): voip requires > 5060 remote _and_ connection ports, and needs to be forwarded as is > (excepting ip address) and not appear to be natted os as not to confuse the > client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). So this particular box has its own unique external routable IP address, distinct from the router's external IP? Does it also want to do regular NAT for other than VoIP/VPN port traffic? Just trying to follow .. > Are there any sources for documentation on the advanced uses of ipfw? I > stumbled on just one that goes into more detail so far > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. I vaguely recall that one from years ago. "www.freebsd-howto.com could not be found. Please check the name and try again." tonight anyway. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 10 23:09:27 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 824211065670 for ; Sat, 10 Mar 2012 23:09:27 +0000 (UTC) (envelope-from freebsd-ipfw@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id E0C978FC0A for ; Sat, 10 Mar 2012 23:09:26 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id D4FF25C28 for ; Sun, 11 Mar 2012 09:14:37 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id 098785C22 for ; Sun, 11 Mar 2012 09:14:37 +1000 (EST) Message-ID: <4F5BDBF9.4000807@herveybayaustralia.com.au> Date: Sun, 11 Mar 2012 08:55:53 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> <4F5B5187.2010303@herveybayaustralia.com.au> <20120311020742.G10482@sola.nimnet.asn.au> In-Reply-To: <20120311020742.G10482@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 23:09:27 -0000 On 03/11/12 02:28, Ian Smith wrote: > On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote: > > On 03/10/12 19:47, Julian Elischer wrote: > > > On 3/9/12 6:39 AM, Da Rock wrote: > > > > I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I > > > > believe) was using 4.3. I'm now attempting to use IPFW for some tests > > > > (and hopefully move to production), and I'm trying to determine how I > > > > would setup binat using IPFW; or even if its possible at all. > > > > > > > > I've been hunting some more in depth documentation, but it appears to be > > > > scarce/not definitive. I suspect using the modes in libalias such as "use > > > > same ports" and "reverse" might be able to do what I'm looking for? > > > > > > > > Any clarity much appreciated. > > > > > > well of course > > > man ipfw is the basis.. > > Apart from libalias(3) I found natd(8) manual still useful to flesh out > the rather terse NAT descriptions in ipfw(8); functions are mostly 1:1 > apart from more verbose (and better described) keywords than ipfw nat. Yeah, I noticed that. Thats where I picked the terms I thought fit most likely. But none of the terms sound exactly like binat, but the mix of a couple of them sounded like it might just work. > > > since you don't give any hints as to what you want to do that is not in > > > /etc/rc.firewall, > > > it is hard to know how to help you.. > > > I think that is the fundamental problem: I defined what I was doing but the > > terms are foreign, ergo the man doesn't show it either. > > Just googling 'binat freebsd' finds only (quite a few) references to pf, > and then only pf.conf(5) seems really to describe its usage. Exactly. > > Binat is defined in pf, so I used the terminology thinking it would just > > click. Apparently not :) Binat is 1:1 natting to and from a client behind a > > firewall (according to pf), so binat nats traffic from the client and from > > the external network. For all intents and purposes it appears the client is > > actually on the external network, with the added benefit that only the ports > > needed can be natted, and others can be diverted elsewhere. > > > > I'm using it for voip currently (and vpn on the same client): voip requires > > 5060 remote _and_ connection ports, and needs to be forwarded as is > > (excepting ip address) and not appear to be natted os as not to confuse the > > client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). > > So this particular box has its own unique external routable IP address, > distinct from the router's external IP? Does it also want to do regular > NAT for other than VoIP/VPN port traffic? Just trying to follow .. NP. I have only one external address (considered more, but nothing has quite convinced me as yet to part with more moula for them), and the binat only works for these services (ipsec/l2tp/vpn/voip), but essentially it appears this box is in the open - directly on the external address. However, I can still send other services (smtp/imap/www/dns) to other boxes. The firewall is also running the show with ppp as well, the modem is running 'dumb'. From other posts, I'd say static NAT could be what I'm looking for. I'll give it a shot anyway... > > Are there any sources for documentation on the advanced uses of ipfw? I > > stumbled on just one that goes into more detail so far > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. > > I vaguely recall that one from years ago. "www.freebsd-howto.com could > not be found. Please check the name and try again." tonight anyway. I said this before: what can I say? It works for me... :) I just used it tonight, so I can't say what would be going on (planets aligned, or something?).