Date: Fri, 20 Apr 2012 22:46:50 -0700 From: "Rudy (bulk)" <crapsh@monkeybrains.net> To: freebsd-ipfw@freebsd.org Subject: [ipfw_nat] How do I view active NAT sessions? Message-ID: <4F9249CA.8030208@monkeybrains.net>
next in thread | raw e-mail | index | archive | help
[1] How do I see active sessions?
The summary is great for graphing sessions over time:
# ipfw nat 123 show
nat 123: icmp=0, udp=173, tcp=876, sctp=0, pptp=0, proto=0, frag_id=0
frag_ptr=0 / tot=1049
But I am interested in seeing a list of all the active sessions -- in
ipnat, you would run 'ipnat -l' to see a list of the current NAT table.
Is there an equivalent for ipfw?
[2] Why are my local (from router box) requests incrementing the nat
counters (shouldn't my local ip should be skipped as it is not unreg_only)?
# ipfw nat 123 config ip 1.1.1.123 same_ports reset log unreg_only
# ipfw add nat 123 all from any to any
# fping -g 1.1.1.1 1.1.4.255
# ipfw nat 123 show
nat 123: icmp=302, udp=179, tcp=825, sctp=0, pptp=0, proto=0,
frag_id=0 frag_ptr=0 / tot=1447
What the heck is being shown by 'ipfw nat show'? ;)
[3] Man page recommendations for ipfw(8)
Shouldn't the external interface be recommended in the EXAMPLES
section? I didn't even try to set it up without a 'via'...
- ipfw add nat 123 all from any to any
+ Assuming em0 is your external interface:
+ ipfw add nat 123 all from any to any via em0
For people stumbling ipnat to ipfw, how will they know about
'redirect_address' unless they have used natd? There is no reference to
redirect_address in the man page -- which is internal, which external?
All the options from natd(8) need to be dumped into ipfw(8). Yes, there
is the curt reference to natd(8) many lines earlier than the EXAMPLES
section, but a reference to natd(8) next to the example or explicit
documentation within the man page for ipfw would make for better
documentation.
Put together a 'working' nat example... illustrate that with
"net.inet.ip.fw.one_pass: 1" you need to specify IPs on the nat lines or
ipfw will stop at that nat rule.
1.1.1.5,1.1.1.123 <-- em0 + em1 --> 10.0.0.1
(external) (internal)
# basic example that allows a SSH access, a one-to-one mapping and a
many-to-one mapping
ipfw add 10 allow ip from any to me 22 in // allow SSH here as nat
will stop the packet later (one_pass:1)
ipfw add 20 allow ip from me 22 to any out
ipfw add 1000 allow ip from any to any via em1 // we trust the
internal network
ipfw add nat 101 all from 10.0.0.5 to any out via em0 // map
Luigi's desktop
ipfw add nat 101 all from any to 1.1.1.5 in via em0 // map Luigi's
desktop
ipfw add nat 123 all from any to any out via em0 // map for Archie,
Alex, Ugen, and Poul-Henning
ipfw add nat 123 all from any to any in via em0 // map for Archie,
Alex, Ugen, and Poul-Henning
ipfw add allow ip from any to any via em0 // this rule will never be
reached while one_pass: 1
# define your nat mappings
ipfw nat 101 config redirect_addr 10.0.0.5 1.1.1.5
ipfw nat 123 config ip 1.1.1.123 same_ports reset deny_in log unreg_only
Some questions and 2 cents based on usability,
Rudy
I just moved from ipnat to ipfw_nat as ipnat was making my box 'Fatal
12'. The man page for ipfw could use some work on the NAT section, IMHO.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F9249CA.8030208>