Re: IPFW Firewall NAT inbound port-redirect
From: Michael Sierchio ku...@tenebras.com To: Dan Nelson dnel...@allantgroup.com Cc: Bill Tillman btillma...@yahoo.com; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. Thanks, Dan, for explaining. - M On Tue, Jul 12, 2011 at 11:05 PM, Bill Tillman btillma...@yahoo.com wrote: From: Michael Sierchio ku...@tenebras.com To: Dan Nelson dnel...@allantgroup.com Cc: Bill Tillman btillma...@yahoo.com; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell nightre...@hotmail.com wrote: Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
OK - I'm confused. Could be all the top posting. ;-) testbed# man ipfw Formatting page, please wait...Done. IPFW(8) FreeBSD System Manager's Manual IPFW(8) NAME ipfw -- User interface for firewall, traffic shaper, packet scheduler, in-kernel NAT. [...] kernel config options: options IPFIREWALL_NAT #ipfw kernel nat support With this option you do not need userland natd and NAT stays in the kernel and keywords are in the IPFW ruleset. I did indeed mis-speak wrt to natd as the above was conceived in IPFW2 to supersede userland natd. Been about maybe 7 or 8 years since I used IPFW, so the memory is rusty. Michael Sierchio wrote: Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell nightre...@hotmail.com wrote: Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
From: Dan Nelson dnel...@allantgroup.com To: Michael Sierchio ku...@tenebras.com Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more redirect_port tcp host:port port expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in ipfw nat 123 ...) to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I have used IPFW for many years now. As for forwarding traffic from your gateway to internal machines I've always used the following in my /etc/natd.conf file: dynamic redirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside my LAN redirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port redirect_port tcp 10.0.0.213:443 443 # OpenVPN Port Of course you will need a line like this in your /etc/rc.conf to get natd to read this file: natd_flags=-f /etc/natd.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: ? On Tue, Jul 12, 2011 at 5:19 AM, Bill Tillman btillma...@yahoo.com wrote: From: Dan Nelson dnel...@allantgroup.com To: Michael Sierchio ku...@tenebras.com Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more redirect_port tcp host:port port expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in ipfw nat 123 ...) to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I have used IPFW for many years now. As for forwarding traffic from your gateway to internal machines I've always used the following in my /etc/natd.conf file: dynamic redirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside my LAN redirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port redirect_port tcp 10.0.0.213:443 443 # OpenVPN Port Of course you will need a line like this in your /etc/rc.conf to get natd to read this file: natd_flags=-f /etc/natd.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
In the last episode (Jul 12), Michael Sierchio said: On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] We're not talking about natd. The question was about the use of ipfirewall nat. Right, but ipfw nat is basically the userland libalias library loaded as a kernel module, so the config parameters are the same. $ grep MODULE_DEPEND /sys/netinet/ipfw/ip_fw_nat.c MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2); also, man ipfw: NETWORK ADDRESS TRANSLATION (NAT) ipfw support in-kernel NAT using the kernel version of libalias(3). [..] REDIRECT AND LSNAT SUPPORT IN IPFW Redirect and LSNAT support follow closely the syntax used in natd(8). See Section EXAMPLES for some examples on how to do redirect and lsnat. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPFW Firewall NAT inbound port-redirect
Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. - Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org