Re: nat and firewall
On Fri, Oct 3, 2008 at 5:24 AM, fire jotawski <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves > <[EMAIL PROTECTED]> wrote: >> >> Hi, >> >> On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <[EMAIL PROTECTED]> wrote: >> > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote: >> > >> >> FBSD1 wrote: >> >> >> >>> >> >>> natd_enable="YES" This statement in rc.conf enables ipfw nated >> >>> function. >> >>> firewall_nat_enable="YES" This is an invalid statement. No such thing >> >>> as >> >>> you have here. >> >>> >> >> >> >> This is no longer true; he did indeed find "firewall_nat_enable" >> >> in /etc/defaults/rc.conf. The knob seems to have first appeared >> >> in February in HEAD and I'm guessing it cues the system to use a >> >> new kernel-based nat rather than natd(8), but I've not read anything >> >> further about this, as my system isn't as up to date as the OP's. >> >> I don't know when this change was MFC'ed, but apparently fairly >> >> recently? >> >> >> >> I suppose we need someone a tad more "in the know" to straighten >> >> that out for us. >> >> >> > >> > up to this moment, i do not know if natd and firewall_nat function in >> > the >> > same or different. >> > and is there firewall_nat_flags thing too ? >> >> I'll try to explain, >> >> natd_* knobs are for natd(8), a daemon >> firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel >> >> firewall_nat_* was added in the begenning of year in RELENG_7 >> >> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 >> >> The NAT configuration is done by /etc/rc.firewall, you can read this >> file to know how the configuration is done. >> >> This is two different ways to do NAT. I can't speak about performance, >> kernel vs daemon. > > many thanks indeed for your clear explanations. > so we simply use just one of them but not both, do not we ? Yes. > once again, i appreciate all of your kind asistances in my case. > > with best regards, > psr > > Regards. -- There's this old saying: "Give a man a fish, feed him for a day. Teach a man to fish, feed him for life." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and firewall
On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves < [EMAIL PROTECTED]> wrote: > Hi, > > On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <[EMAIL PROTECTED]> wrote: > > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote: > > > >> FBSD1 wrote: > >> > >>> > >>> natd_enable="YES" This statement in rc.conf enables ipfw nated > function. > >>> firewall_nat_enable="YES" This is an invalid statement. No such thing > as > >>> you have here. > >>> > >> > >> This is no longer true; he did indeed find "firewall_nat_enable" > >> in /etc/defaults/rc.conf. The knob seems to have first appeared > >> in February in HEAD and I'm guessing it cues the system to use a > >> new kernel-based nat rather than natd(8), but I've not read anything > >> further about this, as my system isn't as up to date as the OP's. > >> I don't know when this change was MFC'ed, but apparently fairly > >> recently? > >> > >> I suppose we need someone a tad more "in the know" to straighten > >> that out for us. > >> > > > > up to this moment, i do not know if natd and firewall_nat function in the > > same or different. > > and is there firewall_nat_flags thing too ? > > I'll try to explain, > > natd_* knobs are for natd(8), a daemon > firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel > > firewall_nat_* was added in the begenning of year in RELENG_7 > > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 > > The NAT configuration is done by /etc/rc.firewall, you can read this > file to know how the configuration is done. > > This is two different ways to do NAT. I can't speak about performance, > kernel vs daemon. > many thanks indeed for your clear explanations. so we simply use just one of them but not both, do not we ? once again, i appreciate all of your kind asistances in my case. with best regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and firewall
>> This is no longer true; he did indeed find "firewall_nat_enable" >> in /etc/defaults/rc.conf. The knob seems to have first appeared >> in February in HEAD and I'm guessing it cues the system to use a >> new kernel-based nat rather than natd(8), but I've not read anything >> further about this, as my system isn't as up to date as the OP's. >> I don't know when this change was MFC'ed, but apparently fairly >> recently? > firewall_nat_* was added in the begenning of year in RELENG_7 > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 > > This is two different ways to do NAT. I can't speak about performance, > kernel vs daemon. Apologies for jumping in another thread commenting on my own question, but I think the questions are very similar (see "Recompile kernel or module for ipfw+nat?", http://lists.freebsd.org/pipermail/freebsd-questions/2008-September/183418.html). It would seem that doing NAT with ipfw (in-kernel as opposed to using userland natd) is not possible in 7.0-RELEASE-p4 without recompiling the kernel to include IPDIVERT even though IPDIVERT was converted to loadable module way back. And I have doubts that even recompiling the kernel would help doing "ipfw add nat 123 all from any to any". However, I found the reason for that might be the following CVS commit message: # $FreeBSD: src/sys/modules/ipfw_nat/Makefile,v 1.1 2008/02/29 22:27:18 piso Exp $ "Move ipfw's nat code into its own kld: ipfw_nat." which got commited to RELENG_7 and HEAD only (explains why it doesn't work on my 7.0-RELEASE-p4). My guess is that this functionality is already available in 7.1-BETA since the code freeze began in September and ipfw nat code got committed in February. I can only guess if what I wrote above if correct, but I'll upgrade one machine to 7.1-BETA as soon as I get some spare time. Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and firewall
Hi, On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <[EMAIL PROTECTED]> wrote: > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote: > >> FBSD1 wrote: >> >>> >>> natd_enable="YES" This statement in rc.conf enables ipfw nated function. >>> firewall_nat_enable="YES" This is an invalid statement. No such thing as >>> you have here. >>> >> >> This is no longer true; he did indeed find "firewall_nat_enable" >> in /etc/defaults/rc.conf. The knob seems to have first appeared >> in February in HEAD and I'm guessing it cues the system to use a >> new kernel-based nat rather than natd(8), but I've not read anything >> further about this, as my system isn't as up to date as the OP's. >> I don't know when this change was MFC'ed, but apparently fairly >> recently? >> >> I suppose we need someone a tad more "in the know" to straighten >> that out for us. >> > > up to this moment, i do not know if natd and firewall_nat function in the > same or different. > and is there firewall_nat_flags thing too ? I'll try to explain, natd_* knobs are for natd(8), a daemon firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel firewall_nat_* was added in the begenning of year in RELENG_7 http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 The NAT configuration is done by /etc/rc.firewall, you can read this file to know how the configuration is done. This is two different ways to do NAT. I can't speak about performance, kernel vs daemon. Hope this helps. > thanks in advanced for any helps and hints. > regards, > psr > > >> >> Kevin Kinsey >> -- >> A wise man can see more from a mountain top >> than a fool can from the bottom of a well. >> > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > Regards. -- There's this old saying: "Give a man a fish, feed him for a day. Teach a man to fish, feed him for life." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and firewall
On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <[EMAIL PROTECTED]> wrote: > FBSD1 wrote: > >> >> natd_enable="YES" This statement in rc.conf enables ipfw nated function. >> firewall_nat_enable="YES" This is an invalid statement. No such thing as >> you have here. >> > > This is no longer true; he did indeed find "firewall_nat_enable" > in /etc/defaults/rc.conf. The knob seems to have first appeared > in February in HEAD and I'm guessing it cues the system to use a > new kernel-based nat rather than natd(8), but I've not read anything > further about this, as my system isn't as up to date as the OP's. > I don't know when this change was MFC'ed, but apparently fairly > recently? > > I suppose we need someone a tad more "in the know" to straighten > that out for us. > up to this moment, i do not know if natd and firewall_nat function in the same or different. and is there firewall_nat_flags thing too ? thanks in advanced for any helps and hints. regards, psr > > Kevin Kinsey > -- > A wise man can see more from a mountain top > than a fool can from the bottom of a well. > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and firewall
FBSD1 wrote: natd_enable="YES" This statement in rc.conf enables ipfw nated function. firewall_nat_enable="YES" This is an invalid statement. No such thing as you have here. This is no longer true; he did indeed find "firewall_nat_enable" in /etc/defaults/rc.conf. The knob seems to have first appeared in February in HEAD and I'm guessing it cues the system to use a new kernel-based nat rather than natd(8), but I've not read anything further about this, as my system isn't as up to date as the OP's. I don't know when this change was MFC'ed, but apparently fairly recently? I suppose we need someone a tad more "in the know" to straighten that out for us. Kevin Kinsey -- A wise man can see more from a mountain top than a fool can from the bottom of a well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and firewall
On Wed, Sep 24, 2008 at 2:52 PM, FBSD1 <[EMAIL PROTECTED]> wrote: > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of fire jotawski > Sent: Wednesday, September 24, 2008 12:13 PM > To: freebsd-questions@freebsd.org > Subject: nat and firewall > > hi sirs, > > i am confused now that what is the difference between nat and firewall_nat > in /etc/rc file > > natd_enable="YES" > firewall_nat_enable="YES" > > just one question per asking. there will be another more questions about > this but for this moment only this one first. > > thanks in advance for any helps and hints > > regards, > psr > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to [EMAIL PROTECTED] > sorry for top posting first of all thanks indeed for your answers > > > natd_enable="YES" This statement in rc.conf enables ipfw nated function. > firewall_nat_enable="YES" This is an invalid statement. No such thing as > you have here. i found firewall_nat_enable in /etc/rc.firewall my machine is %uname -a FreeBSD makham.serveblog.net 7.0-RELEASE FreeBSD 7.0-RELEASE #5: Thu Sep 4 09:48:32 ICT 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SITING i386 % > FreeBSD has 3 different built in firewall for you to chose from. IPFW, > Ipfilter, and PF > Review /etc/defaults/rc.conf for their statements. > It would do you good to read the firewall section of the FreeBSD Handbook > for a complete explanation of the 3 firewalls and the differences between > them. > In my option the PF firewall has the easiest to use rule set and built in > table functions for automated black listing attacking IP address. Its major > weakness is it has very poorly designed logging function that results in > very cumbersome usage. > IPFilter comes next. It has easy logging and rules usage. It lacks the auto > black listing table building of PF. These two firewalls were ported to > FreeBSD from other Unix flavored operating systems. Both have teams > supporting and maintaining them. > The final firewall is IPFW that is the first firewall included in FreeBSD > many years ago and was developed by the FreeBSD team. IPFW also lacks the > auto black listing table building of PF, and its nated rules are much > harder > to get working using all stateful rules. IPFW had a major coding overhaul a > few years back but the inhered design flaw of how nated rules are handled > was not touched. Grape vine says IPFW nated code is a messed up can of > worms > and no one wants to touch it. > I have used all 3 firewalls at one time or another to learn about them. I > found IPFilter to be the easiest to use and get logging out put in standard > format like all the other FreeBSD logs are. But you should ready the > handbook and decide for your self what best satisfies your firewall needs. > thanks indeed for your answers. i will ask more questions regarding to natd and firewall again after reading handbook. regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: nat and firewall
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of fire jotawski Sent: Wednesday, September 24, 2008 12:13 PM To: freebsd-questions@freebsd.org Subject: nat and firewall hi sirs, i am confused now that what is the difference between nat and firewall_nat in /etc/rc file natd_enable="YES" firewall_nat_enable="YES" just one question per asking. there will be another more questions about this but for this moment only this one first. thanks in advance for any helps and hints regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] natd_enable="YES" This statement in rc.conf enables ipfw nated function. firewall_nat_enable="YES" This is an invalid statement. No such thing as you have here. FreeBSD has 3 different built in firewall for you to chose from. IPFW, Ipfilter, and PF Review /etc/defaults/rc.conf for their statements. It would do you good to read the firewall section of the FreeBSD Handbook for a complete explanation of the 3 firewalls and the differences between them. In my option the PF firewall has the easiest to use rule set and built in table functions for automated black listing attacking IP address. Its major weakness is it has very poorly designed logging function that results in very cumbersome usage. IPFilter comes next. It has easy logging and rules usage. It lacks the auto black listing table building of PF. These two firewalls were ported to FreeBSD from other Unix flavored operating systems. Both have teams supporting and maintaining them. The final firewall is IPFW that is the first firewall included in FreeBSD many years ago and was developed by the FreeBSD team. IPFW also lacks the auto black listing table building of PF, and its nated rules are much harder to get working using all stateful rules. IPFW had a major coding overhaul a few years back but the inhered design flaw of how nated rules are handled was not touched. Grape vine says IPFW nated code is a messed up can of worms and no one wants to touch it. I have used all 3 firewalls at one time or another to learn about them. I found IPFilter to be the easiest to use and get logging out put in standard format like all the other FreeBSD logs are. But you should ready the handbook and decide for your self what best satisfies your firewall needs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
nat and firewall
hi sirs, i am confused now that what is the difference between nat and firewall_nat in /etc/rc file natd_enable="YES" firewall_nat_enable="YES" just one question per asking. there will be another more questions about this but for this moment only this one first. thanks in advance for any helps and hints regards, psr ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NAT and Firewall Configuration ?
> I am in the process of configuring NAT and a firewall on FreeBSD 4.7 > Stable. I have configured the external interface with 2 class C addresses > 192.x.x.1 and 192.x.x.2. and the internal interface with 192.168.x.1 ( > gateway ) > I have also configured natd_flags="-redirect_address 192.168.x.3 192.x.x.2" > which if I'm correct will redirect all traffic destined for 192.x.x.2 to > 192.168.x.3 ? That's right in the idea. To be finicky, I'd say that natd doesn't *redirect* traffic, it just *rewrites* packet headers, so they can be redirected. > My question is have I done everything correct so far and what rule would I > use for my firewall so that natd will work the way I want it ? You need to add the following rule as the first rule in your firewall (or pretty much so): add 00100 divert natd ip from any to any via rl0 (considering rl0 is the interface connected to the exterior) This passes all packets coming in or going out through rl0 to natd, who will decide whether they need aliasing or not, and do so. It then passes them back into the firewall list, and the following rule number. See man ipfw. > > > My rc.conf is as follows: > > ifconfig_rl0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_rl0_alias0="inet 192.x.x.2 netmask 255.255.255.255" > ifconfig_rl1="inet 192.168.x.1 netmask 255.255.255.0" > > natd_enable="YES" > natd_interface="rl0" > natd_flags="-redirect_address 192.168.x.3 192.x.x.x2" > The line 'natd_interface="rl0"' tells natd to do it's aliasing to and from the IP address used by rl0. This may or may not be what you want, since you have two IPs on this interface. I expect that natd gets the primary IP for the interface rather than the alias. In this case your setup would send all traffic for 192.x.x.2 to 192.168.x.3 and "share" the connection to all other hosts on the 192.168.x.x network via 192.x.x.1. > ## Required for ipfw support > firewall_enable="YES" > #firewall_script="/etc/rc.firewall" > #firewall_type="OPEN" > firewall_type="/etc/ipfw.rules" > firewall_quiet="YES" > firewall_logging_enable="YES" Er, I know this isn't your question, but shouldn't 'firewall_type="/etc/ipfw.rules"' be 'firewall_script="/etc/ipfw.rules"'? > Look good to me. Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
NAT and Firewall Configuration ?
Hi List I am in the process of configuring NAT and a firewall on FreeBSD 4.7 Stable. I have configured the external interface with 2 class C addresses 192.x.x.1 and 192.x.x.2. and the internal interface with 192.168.x.1 ( gateway ) I have also configured natd_flags="-redirect_address 192.168.x.3 192.x.x.2" which if I'm correct will redirect all traffic destined for 192.x.x.2 to 192.168.x.3 ? My question is have I done everything correct so far and what rule would I use for my firewall so that natd will work the way I want it ? At the moment traffic is not being redirected to 192.168.x.3 and I can't connect to anything external via 192.168.x.3 and not expected too either till I get your help ( proxy excluded ) I hope this information is enough for you to help me.( see below for configurations ) Your time, help and suggestions would be much appreciated. Real ip's have been omitted for obvious reasons. Many thanks and regards, Nelis My firewall rules are as follows: #ipfw ruleset #allow all outbound and only inbound TCP connections I've created add 00301 check-state #add 00302 deny log tcp from any to any established add 00302 allow tcp from any to any established add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup add 00305 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup add 00306 allow tcp from any to 192.168.x.0/27 in recv rl1 #allow all outbound and only inbound UDP connections I've created add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0 add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0 add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0 add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state in via rl0 add 00404 allow udp from any to 192.168.x.0/27 in recv rl1 add 00405 allow udp from any to any out #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow people to ping me add 00604 allow icmp from any to any icmptypes 8 in add 00605 allow icmp from any to any icmptypes 0 out ##allow me to run traceroute add 00606 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any My rc.conf is as follows: defaultrouter="192.x.x.125" hostname="x.x.x" ifconfig_rl0="inet 192.x.x.1 netmask 255.255.255.0" ifconfig_rl0_alias0="inet 192.x.x.2 netmask 255.255.255.255" ifconfig_rl1="inet 192.168.x.1 netmask 255.255.255.0" kern_securelevel_enable="NO" gateway_enable="YES" natd_enable="YES" natd_interface="rl0" natd_flags="-redirect_address 192.168.x.3 192.x.x.x2" inetd_enable="NO" linux_enable="YES" moused_enable="NO" moused_type="NO" nfs_reserved_port_only="YES" ## Setup NFS # portmap_enable="YES" # nfs_server_enable="YES" # mountd_flags="-r" # ntpdate_enable="YES" xntpd_enable="YES" sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" usbd_enable="NO" sendmail_enable="NONE" named_enable="YES" named_program="/usr/local/sbin/named" fsck_y_enable="YES" # enable_quotas=``YES'' # check_quotas=``NO'' ## Required for ipfw support firewall_enable="YES" #firewall_script="/etc/rc.firewall" #firewall_type="OPEN" firewall_type="/etc/ipfw.rules" firewall_quiet="YES" firewall_logging_enable="YES" Kernel Options: machine i386 cpu I586_CPU ident maxusers20 options INET options FFS options SOFTUPDATES options MFS options MD_ROOT options NFS options NFS_ROOT options MSDOSFS options CD9660 options CD9660_ROOT options PROCFS options COMPAT_43 options UCONSOLE options USERCONFIG options VISUAL_USERCONFIG options KTRACE options SYSVSHM options SYSVMSG options SYSVSEM options P1003_1B options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM options KBD_INSTALL_CDEV options USER_LDT options SC_DISABLE_REBOOT options QUOTA options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=10 options ACCEPT_FILTER_HTTP options ACCEPT_FILTER_DATA options IPSTEALTH Other configurations shouldn't be needed? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the messa