Re: Kernel Config for NAT
On Fri, 9 Apr 2010, per...@pluto.rain.com wrote: Ian Smith smi...@nimnet.asn.au wrote: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html rant This is absolutely the worst section of an otherwise great handbook ... Nothing short of a rewrite from scratch could fix it ... As always, I'm sure a patch -- to provide that rewrite -- would be welcome. You're quite right, of course. It's a huge job, and I'm not sure I can do it; just picked up the latest chapter.sgml for another look. I know I should STFU or fix it, but I can't help at least warning people who, unless they're at least familiar with ipfw(8), are going to be either put off or - in my view - misled or confused. I'll see if I can't come up with at least some updates and corrections. Thanks for the kick :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
In freebsd-questions Digest, Vol 305, Issue 9, Message: 1 On Thu, 8 Apr 2010 08:10:34 -0400 Robert Huff roberth...@rcn.com wrote: Adam Vande More writes: If compiled into the kernel, there's a set of optional settings (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there. If using the module, how does one set these? Logging is compiled into the modules and there are a few sysctl's. AFAIK, everything else is the same. There are _lots_ of sysctls, even more recently with SCTP support. http://www.freebsd.org/doc/handbook/firewalls-ipfw.html rant This is absolutely the worst section of an otherwise great handbook. Apart from being way out of date it contains gratuitous deprecation, inaccuracies and a large number of plain untruths, was largely written by someone who doesn't use (or like) ipfw, and has examples styled to duplicate an IPFILTER setup. Nothing short of a rewrite from scratch could fix it, despite efforts by several people to clarify aspects; only quite recently the invalid 'ipfw block' command was removed from it. ipfw(8) is a complete (albeit very terse) ipfw reference and I thoroughly recommend studying that instead. Despite what the handbook section says, the sample rules eg the 'simple' ruleset in rc.firewall ARE these days suitable for immediate use using rc.conf variables, DO include NAT functionality (either with natd or ipfw nat) in the _correct_ place in the ruleset, and DO include some stateful rules; that and ipfw(8) are certainly a better place to start than the dreadful examples afflicting the handbook since some years. /rant So ... double-checking I'm doing this right: 1) in /boot/loader.conf: ipfw_load=YES ipdivert_load=YES I thought from your earlier mail that you wanted to use in-kernel NAT? If so, rather than divert sockets (using ipfw's divert action) you want: ipfw_nat_load=YES libalias_load=YES 2) in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) #options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS# required for NAT I believe all these can be accomplished with modules on GENERIC kernel, at least on 8.x, with the exception of FIREWALL_FORWARD functionality which does require a custom kernel as it messes with lots of ip paths. If you want to use natd(8) then you'll need ipdivert.ko (as you have above), but if you want to use in-kernel NAT (not yet mentioned in the handbook sections for ipfw or natd, though there since 7.0) then you'll want IPFIREWALL_NAT and LIBALIAS in kernel, or loaded as modules: ipfw.ko ipfw_nat.ko # in-kernel ipfw nat libalias.ko # for in-kernel ipfw nat dummynet.ko # if wanted ipdivert.ko # (or) for natd Basically, natd uses userland libaliasand ipdivert but in-kernel NAT needs in-kernel libalias. The syntax of nat commands is virtually identical for natd.conf and ipfw nat commands, see ipfw(8) natd(8) 3) in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept=1 Interestingly, that one hasn't yet made it into ipfw(8) .. your choice, or you can use firewall_type=open for rc.firewall without that, until you've got your ruleset in action (when default to deny is advisable) net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=100 That cover it? Should do .. with the abovementioned exception, take ipfw(8) as being definitive, ignore the misleading and often just plain wrong handbook section, and prosper .. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
Ian Smith writes: So ... double-checking I'm doing this right: 1) in /boot/loader.conf: ipfw_load=YES ipdivert_load=YES I thought from your earlier mail that you wanted to use in-kernel NAT? I want whatever works. :-) Beyond that ... all other things being more-or-less equal I'll do this with modules. Let's build that. So in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept=1 net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=100 check. I believe all these can be accomplished with modules on GENERIC kernel, at least on 8.x, with the exception of FIREWALL_FORWARD functionality which does require a custom kernel as it messes with lots of ip paths. This machine has a custom kernel, so that's not a an issue. And in /boot/loader.conf: ipfw_load=YES ipfw_nat=YES # in-kernel ipfw nat libalias=YES # for in-kernel ipfw nat check. and in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD #options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support #options LIBALIAS # required for NAT check. This combination will get me a) ipfw, using the standard rc.conf firewall_ variables, and b) NAT ... do I still need to have a nat setting in the firewall rules? Less confused than last time, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
On Fri, 9 Apr 2010, Robert Huff wrote: Ian Smith writes: So ... double-checking I'm doing this right: 1) in /boot/loader.conf: ipfw_load=YES ipdivert_load=YES I thought from your earlier mail that you wanted to use in-kernel NAT? I want whatever works. :-) natd works, as ever. ipfw nat is reputed to work faster. Beyond that ... all other things being more-or-less equal I'll do this with modules. Let's build that. So in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept=1 net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=100 check. I believe all these can be accomplished with modules on GENERIC kernel, at least on 8.x, with the exception of FIREWALL_FORWARD functionality which does require a custom kernel as it messes with lots of ip paths. This machine has a custom kernel, so that's not a an issue. And in /boot/loader.conf: ipfw_load=YES ipfw_nat=YES # in-kernel ipfw nat libalias=YES # for in-kernel ipfw nat ipfw_nat_load=YES libalias_load=YES check. and in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD Planning on using any 'fwd' rules? #options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support #options LIBALIAS # required for NAT check. This combination will get me a) ipfw, using the standard rc.conf firewall_ variables, and b) NAT ... do I still need to have a nat setting in the firewall rules? The 'client' ruleset now has rules for either natd or ipfw nat. The 'simple' ruleset works with natd (from natd_enable and natd_interface in rc.conf), but still lacks the patch for ipfw nat - my remiss for seeking comment in ipfw@ rather than sending it with a PR, as one should. Time I redid it, you can be guinea pig :) What freebsd version? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
Ian Smith smi...@nimnet.asn.au wrote: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html rant This is absolutely the worst section of an otherwise great handbook ... Nothing short of a rewrite from scratch could fix it ... As always, I'm sure a patch -- to provide that rewrite -- would be welcome. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
Adam Vande More writes: If compiled into the kernel, there's a set of optional settings (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there. If using the module, how does one set these? Logging is compiled into the modules and there are a few sysctl's. AFAIK, everything else is the same. http://www.freebsd.org/doc/handbook/firewalls-ipfw.html It would be nice if this were made explicit in that handvook. And the other two secotions harmonized as well. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
Adam Vande More writes: If compiled into the kernel, there's a set of optional settings (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there. If using the module, how does one set these? Logging is compiled into the modules and there are a few sysctl's. AFAIK, everything else is the same. http://www.freebsd.org/doc/handbook/firewalls-ipfw.html So ... double-checking I'm doing this right: 1) in /boot/loader.conf: ipfw_load=YES ipdivert_load=YES 2) in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) #options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS # required for NAT 3) in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept=1 net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=100 That cover it? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
On Thu, Apr 8, 2010 at 7:10 AM, Robert Huff roberth...@rcn.com wrote: 1) in /boot/loader.conf: ipfw_load=YES ipdivert_load=YES 2) in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) #options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS # required for NAT 3) in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept=1 net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=100 That's actually a good question considering the lack of documentation. If that works then great, but one wonders what the ipfw_nat modules is for? ... looks like it's tied into libalias apparently a replacement for natd. http://wiki.freebsd.org/Libalias That seems to be a major problem with those GsoC projects, even if they get something good working there is frequently no documentation with it. Then it sits there mostly unused waiting for bitrot to set in. I don't know the structure of GsoC, but if it's possible for the mentor to *strongly* encourage documentation checkpoints(manpages, not wiki) I think these projects would be better utilized. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
On Thu, 8 Apr 2010 08:10:34 -0400 Robert Huff roberth...@rcn.com wrote: So ... double-checking I'm doing this right: 1) in /boot/loader.conf: ipfw_load=YES ipdivert_load=YES yes; see NAT HB 31.9.3 2) in the kernel config: IMHO, and according to Adam Vandr More, kernel options are no longer required. 3) in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept=1 see NAT HB 31.9.3 net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=100 see IPFW HB 30.6.1 I would use a smaller limit such as 5. That cover it? Still need entries in /etc/rc.conf. See HB 30.9.5, 30.6.3, 30.6.5.7 I also have DHCP serving the downstream (private) network. Upstream gets configured by dhclient. -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from a Newton 2100 via Mail V ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
IMHO, and according to Adam Vandr More, kernel options are no longer required. The original reason I asked was: 30.6.2 Kernel Options It is not a mandatory requirement to enable IPFW by compiling the following options into the FreeBSD kernel, unless NAT functionality is required. I do want NAT, and there is no unambiguous path in the Handbook. Still need entries in /etc/rc.conf. See HB 30.9.5, 30.6.3, 30.6.5.7 Once ipfw is running, I should have the rulesets covered. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
On Wed, Apr 7, 2010 at 9:51 PM, Gary Dunn o...@aloha.com wrote: I am setting up a router to share one Wi-Fi link between a few computers that only support CAT-5. Like a wireless access point except wired and wireless sides are reversed. My question is about the ipfw packet filter. From the handbook section on NAT, 31.9.3, I can achieve what I need with boot loader options. Section 31.9.4 describes alternatives for building a custom kernel. In contrast, the chapter on ipfw states several times that NAT requires a custom kernel - 30.6.1, 30.6.2, 30.6.5.7. I want to use freebsd-update and building a custom kernel eliminates that option. Which is correct? Do I need to build a custom kernel to use NAT? You don't need to do build a custom kernel anymore, that's a relatively recent change. Another option is to use pf instead ipfw since it has built-in NAT. I'm not saying you should change as your current path has worked great for me for many years. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
Adam Vande More writes: I am setting up a router to share one Wi-Fi link between a few computers that only support CAT-5. Like a wireless access point except wired and wireless sides are reversed. My question is about the ipfw packet filter. From the handbook section on NAT, 31.9.3, I can achieve what I need with boot loader options. Section 31.9.4 describes alternatives for building a custom kernel. In contrast, the chapter on ipfw states several times that NAT requires a custom kernel - 30.6.1, 30.6.2, 30.6.5.7. I want to use freebsd-update and building a custom kernel eliminates that option. Which is correct? Do I need to build a custom kernel to use NAT? You don't need to do build a custom kernel anymore, that's a relatively recent change. Another option is to use pf instead ipfw since it has built-in NAT. I'm not saying you should change as your current path has worked great for me for many years. If compiled into the kernel, there's a set of optional settings (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there. If using the module, how does one set these? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Kernel Config for NAT
On Wed, Apr 7, 2010 at 11:28 PM, Robert Huff roberth...@rcn.com wrote: If compiled into the kernel, there's a set of optional settings (VERBOSE, LOG_LINIT, DEFAULT_TO_ACCEPT, etc) that can be set there. If using the module, how does one set these? Logging is compiled into the modules and there are a few sysctl's. AFAIK, everything else is the same. http://www.freebsd.org/doc/handbook/firewalls-ipfw.html -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org