Re: nat and firewall
On Fri, Oct 3, 2008 at 5:24 AM, fire jotawski [EMAIL PROTECTED] wrote: On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves [EMAIL PROTECTED] wrote: Hi, On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski [EMAIL PROTECTED] wrote: On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey [EMAIL PROTECTED] wrote: FBSD1 wrote: natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. This is no longer true; he did indeed find firewall_nat_enable in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? I suppose we need someone a tad more in the know to straighten that out for us. up to this moment, i do not know if natd and firewall_nat function in the same or different. and is there firewall_nat_flags thing too ? I'll try to explain, natd_* knobs are for natd(8), a daemon firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel firewall_nat_* was added in the begenning of year in RELENG_7 http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 The NAT configuration is done by /etc/rc.firewall, you can read this file to know how the configuration is done. This is two different ways to do NAT. I can't speak about performance, kernel vs daemon. many thanks indeed for your clear explanations. so we simply use just one of them but not both, do not we ? Yes. once again, i appreciate all of your kind asistances in my case. with best regards, psr Regards. -- There's this old saying: Give a man a fish, feed him for a day. Teach a man to fish, feed him for life. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nat and firewall
Hi, On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski [EMAIL PROTECTED] wrote: On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey [EMAIL PROTECTED] wrote: FBSD1 wrote: natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. This is no longer true; he did indeed find firewall_nat_enable in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? I suppose we need someone a tad more in the know to straighten that out for us. up to this moment, i do not know if natd and firewall_nat function in the same or different. and is there firewall_nat_flags thing too ? I'll try to explain, natd_* knobs are for natd(8), a daemon firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel firewall_nat_* was added in the begenning of year in RELENG_7 http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 The NAT configuration is done by /etc/rc.firewall, you can read this file to know how the configuration is done. This is two different ways to do NAT. I can't speak about performance, kernel vs daemon. Hope this helps. thanks in advanced for any helps and hints. regards, psr Kevin Kinsey -- A wise man can see more from a mountain top than a fool can from the bottom of a well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Regards. -- There's this old saying: Give a man a fish, feed him for a day. Teach a man to fish, feed him for life. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nat and firewall
This is no longer true; he did indeed find firewall_nat_enable in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? firewall_nat_* was added in the begenning of year in RELENG_7 http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 This is two different ways to do NAT. I can't speak about performance, kernel vs daemon. Apologies for jumping in another thread commenting on my own question, but I think the questions are very similar (see Recompile kernel or module for ipfw+nat?, http://lists.freebsd.org/pipermail/freebsd-questions/2008-September/183418.html). It would seem that doing NAT with ipfw (in-kernel as opposed to using userland natd) is not possible in 7.0-RELEASE-p4 without recompiling the kernel to include IPDIVERT even though IPDIVERT was converted to loadable module way back. And I have doubts that even recompiling the kernel would help doing ipfw add nat 123 all from any to any. However, I found the reason for that might be the following CVS commit message: # $FreeBSD: src/sys/modules/ipfw_nat/Makefile,v 1.1 2008/02/29 22:27:18 piso Exp $ Move ipfw's nat code into its own kld: ipfw_nat. which got commited to RELENG_7 and HEAD only (explains why it doesn't work on my 7.0-RELEASE-p4). My guess is that this functionality is already available in 7.1-BETA since the code freeze began in September and ipfw nat code got committed in February. I can only guess if what I wrote above if correct, but I'll upgrade one machine to 7.1-BETA as soon as I get some spare time. Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nat and firewall
On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves [EMAIL PROTECTED] wrote: Hi, On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski [EMAIL PROTECTED] wrote: On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey [EMAIL PROTECTED] wrote: FBSD1 wrote: natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. This is no longer true; he did indeed find firewall_nat_enable in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? I suppose we need someone a tad more in the know to straighten that out for us. up to this moment, i do not know if natd and firewall_nat function in the same or different. and is there firewall_nat_flags thing too ? I'll try to explain, natd_* knobs are for natd(8), a daemon firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel firewall_nat_* was added in the begenning of year in RELENG_7 http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 The NAT configuration is done by /etc/rc.firewall, you can read this file to know how the configuration is done. This is two different ways to do NAT. I can't speak about performance, kernel vs daemon. many thanks indeed for your clear explanations. so we simply use just one of them but not both, do not we ? once again, i appreciate all of your kind asistances in my case. with best regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nat and firewall
On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey [EMAIL PROTECTED] wrote: FBSD1 wrote: natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. This is no longer true; he did indeed find firewall_nat_enable in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? I suppose we need someone a tad more in the know to straighten that out for us. up to this moment, i do not know if natd and firewall_nat function in the same or different. and is there firewall_nat_flags thing too ? thanks in advanced for any helps and hints. regards, psr Kevin Kinsey -- A wise man can see more from a mountain top than a fool can from the bottom of a well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: nat and firewall
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of fire jotawski Sent: Wednesday, September 24, 2008 12:13 PM To: freebsd-questions@freebsd.org Subject: nat and firewall hi sirs, i am confused now that what is the difference between nat and firewall_nat in /etc/rc file natd_enable=YES firewall_nat_enable=YES just one question per asking. there will be another more questions about this but for this moment only this one first. thanks in advance for any helps and hints regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. FreeBSD has 3 different built in firewall for you to chose from. IPFW, Ipfilter, and PF Review /etc/defaults/rc.conf for their statements. It would do you good to read the firewall section of the FreeBSD Handbook for a complete explanation of the 3 firewalls and the differences between them. In my option the PF firewall has the easiest to use rule set and built in table functions for automated black listing attacking IP address. Its major weakness is it has very poorly designed logging function that results in very cumbersome usage. IPFilter comes next. It has easy logging and rules usage. It lacks the auto black listing table building of PF. These two firewalls were ported to FreeBSD from other Unix flavored operating systems. Both have teams supporting and maintaining them. The final firewall is IPFW that is the first firewall included in FreeBSD many years ago and was developed by the FreeBSD team. IPFW also lacks the auto black listing table building of PF, and its nated rules are much harder to get working using all stateful rules. IPFW had a major coding overhaul a few years back but the inhered design flaw of how nated rules are handled was not touched. Grape vine says IPFW nated code is a messed up can of worms and no one wants to touch it. I have used all 3 firewalls at one time or another to learn about them. I found IPFilter to be the easiest to use and get logging out put in standard format like all the other FreeBSD logs are. But you should ready the handbook and decide for your self what best satisfies your firewall needs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nat and firewall
On Wed, Sep 24, 2008 at 2:52 PM, FBSD1 [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of fire jotawski Sent: Wednesday, September 24, 2008 12:13 PM To: freebsd-questions@freebsd.org Subject: nat and firewall hi sirs, i am confused now that what is the difference between nat and firewall_nat in /etc/rc file natd_enable=YES firewall_nat_enable=YES just one question per asking. there will be another more questions about this but for this moment only this one first. thanks in advance for any helps and hints regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] sorry for top posting first of all thanks indeed for your answers natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. i found firewall_nat_enable in /etc/rc.firewall my machine is %uname -a FreeBSD makham.serveblog.net 7.0-RELEASE FreeBSD 7.0-RELEASE #5: Thu Sep 4 09:48:32 ICT 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SITING i386 % FreeBSD has 3 different built in firewall for you to chose from. IPFW, Ipfilter, and PF Review /etc/defaults/rc.conf for their statements. It would do you good to read the firewall section of the FreeBSD Handbook for a complete explanation of the 3 firewalls and the differences between them. In my option the PF firewall has the easiest to use rule set and built in table functions for automated black listing attacking IP address. Its major weakness is it has very poorly designed logging function that results in very cumbersome usage. IPFilter comes next. It has easy logging and rules usage. It lacks the auto black listing table building of PF. These two firewalls were ported to FreeBSD from other Unix flavored operating systems. Both have teams supporting and maintaining them. The final firewall is IPFW that is the first firewall included in FreeBSD many years ago and was developed by the FreeBSD team. IPFW also lacks the auto black listing table building of PF, and its nated rules are much harder to get working using all stateful rules. IPFW had a major coding overhaul a few years back but the inhered design flaw of how nated rules are handled was not touched. Grape vine says IPFW nated code is a messed up can of worms and no one wants to touch it. I have used all 3 firewalls at one time or another to learn about them. I found IPFilter to be the easiest to use and get logging out put in standard format like all the other FreeBSD logs are. But you should ready the handbook and decide for your self what best satisfies your firewall needs. thanks indeed for your answers. i will ask more questions regarding to natd and firewall again after reading handbook. regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nat and firewall
FBSD1 wrote: natd_enable=YES This statement in rc.conf enables ipfw nated function. firewall_nat_enable=YES This is an invalid statement. No such thing as you have here. This is no longer true; he did indeed find firewall_nat_enable in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? I suppose we need someone a tad more in the know to straighten that out for us. Kevin Kinsey -- A wise man can see more from a mountain top than a fool can from the bottom of a well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT and Firewall Configuration ?
I am in the process of configuring NAT and a firewall on FreeBSD 4.7 Stable. I have configured the external interface with 2 class C addresses 192.x.x.1 and 192.x.x.2. and the internal interface with 192.168.x.1 ( gateway ) I have also configured natd_flags=-redirect_address 192.168.x.3 192.x.x.2 which if I'm correct will redirect all traffic destined for 192.x.x.2 to 192.168.x.3 ? That's right in the idea. To be finicky, I'd say that natd doesn't *redirect* traffic, it just *rewrites* packet headers, so they can be redirected. My question is have I done everything correct so far and what rule would I use for my firewall so that natd will work the way I want it ? You need to add the following rule as the first rule in your firewall (or pretty much so): add 00100 divert natd ip from any to any via rl0 (considering rl0 is the interface connected to the exterior) This passes all packets coming in or going out through rl0 to natd, who will decide whether they need aliasing or not, and do so. It then passes them back into the firewall list, and the following rule number. See man ipfw. SNIP firewall rules My rc.conf is as follows: SNIP ifconfig_rl0=inet 192.x.x.1 netmask 255.255.255.0 ifconfig_rl0_alias0=inet 192.x.x.2 netmask 255.255.255.255 ifconfig_rl1=inet 192.168.x.1 netmask 255.255.255.0 SNIP natd_enable=YES natd_interface=rl0 natd_flags=-redirect_address 192.168.x.3 192.x.x.x2 SNIP The line 'natd_interface=rl0' tells natd to do it's aliasing to and from the IP address used by rl0. This may or may not be what you want, since you have two IPs on this interface. I expect that natd gets the primary IP for the interface rather than the alias. In this case your setup would send all traffic for 192.x.x.2 to 192.168.x.3 and share the connection to all other hosts on the 192.168.x.x network via 192.x.x.1. ## Required for ipfw support firewall_enable=YES #firewall_script=/etc/rc.firewall #firewall_type=OPEN firewall_type=/etc/ipfw.rules firewall_quiet=YES firewall_logging_enable=YES Er, I know this isn't your question, but shouldn't 'firewall_type=/etc/ipfw.rules' be 'firewall_script=/etc/ipfw.rules'? SNIP kernel options Look good to me. Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message