Date: Tue, 26 Mar 2013 08:58:12 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Jukka Ukkonen <jau@oxit.fi> Cc: ipfw@freebsd.org Subject: Re: kernel NAT with ipfw failing Message-ID: <CAHu1Y71HQ%2BNVz8jpY6Hp0QeJM1vBk6%2B1kpdjn1cVFd=t1zoZ4g@mail.gmail.com> In-Reply-To: <5151BEA9.2080907@oxit.fi> References: <5151BEA9.2080907@oxit.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 26, 2013 at 8:28 AM, Jukka Ukkonen <jau@oxit.fi> wrote: > > > Does anyone have a confirmed working example (one that is > in daily active use) of the ipfw NAT inside the kernel? > > I have been trying to create a 1-to-1 static NAT between > a small intranet and the corresponding external addresses. > It would be helpful if you showed the ipfw commands you use to configure the nat instance and the rules you use. If I understand you, you're trying to map a network to a network of the same size via NAT? Or are you using a single address on the outside interface of the firewall? Does the firewall "own" all the external addresses, or are they statically routed to it from upstream? (your ISP?). Have you grokked the redirect_addr and redirect_port examples in the manpage? Have you made sure that sysctl -q net.inet.ip.fw.one_pass=0 ? etc. At this point I can only speculate, but given the complexities that sometimes appear in firewall rulesets, I would not assume that it is broken. It works for me. Show us what you're trying to do - make it easier for us to help. ;-) - M PS it's helpful to separate inbound and outbound traffic. Remember that a firewall will see packets several times, inbound and outbound, etc. E.g., $FW nat 200 config if $if_wan unreg_only reset $FW add 03000 set 0 nat 200 ip from any to any in recv $if_wan [rules that send traffic here and there...] $FW add 15001 set 0 nat 200 ip from any to any out xmit $if_wan $FW add 15005 set 0 allow ip from any to any out xmit $if_wan $FW add 15010 set 0 deny log logamount 0 ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71HQ%2BNVz8jpY6Hp0QeJM1vBk6%2B1kpdjn1cVFd=t1zoZ4g>