confusion configuring NAT
I'm trying to get NAT going, and apparently failing to understand large parts of the concept, 1) Per the handbook I have added options IPFIREWALL options IPDIVERT to the kernel. 2) The firewall is active, and configured so it works for the machine itself. (Settings appended.) 3) I need to do translation for all machines on 10.0.0.0/8. 4) Working from the ipfw man page: ipfw add nat 10 all from any to any then ipfw nat 10 config log ip 10.0.0.0/8 Uh-oh: ipfw: bad ip address ``10.0.0.0/8'' OK, choose one machine. ipfw nat 10 config log ip 10.0.0.3 Accepted. 5) Now, start natd. (natd.conf appended) /sbin/natd -l -f /etc/natd.conf Nope: natd: instance default: aliasing address not given Huh? This has gotten a lot more coplicated since the last time. :-P Robert Huff #! /bin/sh IF=em0 OF=em1 ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any /bin/sleep 3 #for DHCP ipfw add 350 allow udp from any 67-68 to any 67-68 # close NetBios to outside contact /etc/ipfw.netbios.set # close RPC to outside contact /etc/ipfw.rpc.set #no outside SNMP /etc/ipfw.snmp.set # # no IRC # /etc/ipfw.irc.set # established connections are okay. ipfw add 1 allow tcp from any to any established # let all stuff out ipfw add 10100 allow all from any to any out via $IF # internal connections are okay (assuming that 10.0.0.0/8 is your IP # ipfw address range internally) ipfw add 10200 allow tcp from 10.0.0.0/8 to any 80 #not starting natd here, in case it's already running # allow anything not previously forbidden ipfw add 65000 allow ip from any to any natd.conf instance 10 interface em0 same_ports yes log_ipfw_denied yes ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: confusion configuring NAT
On Wednesday 19 March 2008 03:02:59 pm Robert Huff wrote: I'm trying to get NAT going, and apparently failing to understand large parts of the concept, 1) Per the handbook I have added options IPFIREWALL options IPDIVERT to the kernel. 2) The firewall is active, and configured so it works for the machine itself. (Settings appended.) 3) I need to do translation for all machines on 10.0.0.0/8. 4) Working from the ipfw man page: ipfw add nat 10 all from any to any then ipfw nat 10 config log ip 10.0.0.0/8 Uh-oh: ipfw: bad ip address ``10.0.0.0/8'' OK, choose one machine. ipfw nat 10 config log ip 10.0.0.3 Accepted. 5) Now, start natd. (natd.conf appended) /sbin/natd -l -f /etc/natd.conf Nope: natd: instance default: aliasing address not given Huh? This has gotten a lot more coplicated since the last time. :-P Robert Huff I don't see much in the man page for ipfw concerning nat, certainly not the rules you are specifying. Try man natd -- Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB signature.asc Description: This is a digitally signed message part.
Re: confusion configuring NAT
Josh Paetzel wrote: I don't see much in the man page for ipfw concerning nat, certainly not the rules you are specifying. Try man natd NAT support was added to ipfw with the 7.0 release. You don't need to run natd if you're using ipfw nat. Robert Huff wrote: ipfw nat 10 config log ip 10.0.0.0/8 You should disable natd. Try the following command to configure the nat rule: # ipfw nat 10 config if $OIF log reset -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYGsmbVUU0y.pgp Description: PGP signature
confusion configuring NAT
I'm trying to get NAT going, and apparently failing to understand large parts of the concept, If natd is no longer needed as of 7.*, then this page of the Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html needs revision. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(more) confusion configuring NAT
1) when I add the nat instance, it assigns it rule # 65100. Is this a problem? Is there a way to assign my own rule #? (ipfw seems not to like two adds in the same line.) 2) NAT still doesn't work. Still connected, but can't surf to www.google.com using Firefox. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: confusion configuring NAT
Being I am a newcomer to freeBSD, on my first install google turned up a how to for getting my box on the Internet as a firewall/DHCP/DNS server. Since, I've been learning the packet filtering program (pf). Everytime I read a question on ipfw I quickly get confused. What are the major advantages one over the other? I hope not to sound biased but pf seems more user friendly, easier to implement, and less verbose? David This message was sent using IMP, the Internet Messaging Program. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: (more) confusion configuring NAT
Robert Huff wrote: 1) when I add the nat instance, it assigns it rule # 65100. Is this a problem? Is there a way to assign my own rule #? (ipfw seems not to like two adds in the same line.) 2) NAT still doesn't work. Still connected, but can't surf to www.google.com using Firefox. My kernel conf: | options IPFIREWALL | options IPFIREWALL_VERBOSE | options IPFIREWALL_VERBOSE_LIMIT=100 | options IPFIREWALL_FORWARD | options IPFIREWALL_NAT | options LIBALIAS My (abbreviated) ipfw.rules script: | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports | $CMD allow all from any to any via lo0 | $CMD nat 1 ip4 from any to any | $CMD allow icmp from any to any | $CMD deny log ip from any to me | $CMD allow ip4 from any to any -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYoAxu6uvwQ.pgp Description: PGP signature
Re: (more) confusion configuring NAT
Christopher Cowart writes: 2) NAT still doesn't work. Still connected, but can't surf to www.google.com using Firefox. My kernel conf: | options IPFIREWALL | options IPFIREWALL_VERBOSE | options IPFIREWALL_VERBOSE_LIMIT=100 | options IPFIREWALL_FORWARD | options IPFIREWALL_NAT | options LIBALIAS I do not have options IPFIREWALL_FORWARD (it's commented out) because the attached comment says: enable xparent proxy support Since that machine doesn't do proxy ... is this necessary? My (abbreviated) ipfw.rules script: | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports | $CMD allow all from any to any via lo0 | $CMD nat 1 ip4 from any to any | $CMD allow icmp from any to any | $CMD deny log ip from any to me | $CMD allow ip4 from any to any Not an ipfw guru, but don't see anything that contradicts what I have. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: confusion configuring NAT
Christopher Cowart wrote: Josh Paetzel wrote: I don't see much in the man page for ipfw concerning nat, certainly not the rules you are specifying. Try man natd NAT support was added to ipfw with the 7.0 release. You don't need to run natd if you're using ipfw nat. I Need to read the new 7.x man pages! ignore my previous email saying natd was userland :p Rudy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: confusion configuring NAT
David Alanis wrote: Being I am a newcomer to freeBSD, on my first install google turned up a how to for getting my box on the Internet as a firewall/DHCP/DNS server. Since, I've been learning the packet filtering program (pf). Everytime I read a question on ipfw I quickly get confused. What are the major advantages one over the other? I hope not to sound biased but pf seems more user friendly, easier to implement, and less verbose? ipnat can handle 80+Mbps on a 2Ghz single core CPU. ipfw w/ natd will crumple around 10Mbps on the same box. There is one difference. :) It has to do with the fact that ipnat is kernel based while DIVERT uses the userland natd program. (I use ipnat as a synonym for pf) More info: http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-December/001583.html Rudy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: (more) confusion configuring NAT
Robert Huff wrote: Christopher Cowart writes: 2) NAT still doesn't work. Still connected, but can't surf to www.google.com using Firefox. My kernel conf: | options IPFIREWALL | options IPFIREWALL_VERBOSE | options IPFIREWALL_VERBOSE_LIMIT=100 | options IPFIREWALL_FORWARD | options IPFIREWALL_NAT | options LIBALIAS I do not have options IPFIREWALL_FORWARD (it's commented out) because the attached comment says: enable xparent proxy support Since that machine doesn't do proxy ... is this necessary? Should be fine. My (abbreviated) ipfw.rules script: | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports | $CMD allow all from any to any via lo0 | $CMD nat 1 ip4 from any to any | $CMD allow icmp from any to any | $CMD deny log ip from any to me | $CMD allow ip4 from any to any Not an ipfw guru, but don't see anything that contradicts what I have. Do you have gateway_enable=YES in your /etc/rc.conf? $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; I have found this incredibly useful in the past, because interface and direction tags are not always intuitive (especially once you get fwd rules, which luckily you don't have). -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpCBhRmMXKVg.pgp Description: PGP signature
Re: (more) confusion configuring NAT
Christopher Cowart writes: Do you have gateway_enable=YES in your /etc/rc.conf? huff@ grep gate /etc/rc.conf gateway_enable=YES $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 huff@ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? em0 connects to the cable modem. Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; Where do I find the results of this Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: confusion configuring NAT
On Wed, Mar 19, 2008 at 03:51:12PM -0500, David Alanis wrote: Being I am a newcomer to freeBSD, on my first install google turned up a how to for getting my box on the Internet as a firewall/DHCP/DNS server. Since, I've been learning the packet filtering program (pf). Everytime I read a question on ipfw I quickly get confused. What are the major advantages one over the other? I hope not to sound biased but pf seems more user friendly, easier to implement, and less verbose? Ipfw is much older than pf, so for many years the big advantage of ipfw was that it existed, while pf did not. :-) Today many people already know how to use ipfw and for them the advantage of ipfw over pf is that there is no need to learn a new system. If you are new to both ipfw and pf, there is not much reason not to use pf. -- Insert your favourite quote here. Erik Trulsson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: (more) confusion configuring NAT
Robert Huff wrote: Christopher Cowart writes: Do you have gateway_enable=YES in your /etc/rc.conf? huff@ grep gate /etc/rc.conf gateway_enable=YES $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 huff@ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? em0 connects to the cable modem. Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; Where do I find the results of this Typically /var/log/security. Assuming you have IPFIREWALL_VERBOSE in your kernel config. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpxjcbgkCprP.pgp Description: PGP signature
