Re: nat and ipfw, port forwarding
Hi Richard, On Sun, Dec 28, 2008 at 2:30 AM, Richard Yang wrote: > thank you, usleep (nice name)i somehow made it work by > 1. add "redirect_port udp 10.0.0.200:5 5" in natd.conf > 2. allow all traffic and diversion in ipfw.rules > > i tried to limit the traffic by modifying the rules in ipfw.rules, > but unsuccessfully. so i just leave it be at this moment. > i am very confused by the roles of natd and ipfw, and how they should work > together. > As far as i understand it ( anyone please correct me if i am wrong ) : There are two types of NAT in FreeBSD to choose from: 1. Natd, which is a userspace daemon. You need to include a divert rule in your ipfw-config which looks like this: #ipfw add 100 divert natd all from any to any via $oif ( $oif stands for outside-interface ) After your packet has been diverted to natd, the NATed package is inserted once again into the firewall to be checked again. Port redirection etc is configured in natd.conf. 2. Kernel NAT, which is part of IPFW. This is what i was referring to in my last message. You set it up through rc.conf ( see man page ). There is no need for a divert-rule. Port redirection etc is configured with ipnat ( store your config in /etc/ipnat.conf ). And please, do not top-post. regards, usleep > > rich > > > On Sat, Dec 27, 2008 at 8:40 AM, wrote: > >> Hi Ricard, >> >> On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang wrote: >> >>> hi, >>> i have a ssh machine behind a freebsd firewall with nat and ipfw. >>> how do i make port forwarding so internet can access the ssh machine? >>> thanx >>> >> >> i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this >> is a example definition: >> rdr em1 0.0.0.0/0 port 2223 -> 192.168.1.96 port 22 >> >> ( this redirects incoming traffic on outside-interface em1 port 2223 to an >> internal machine on port 22 ) >> >> also, include "firewall_nat_enable" in your rc.conf ( read 'man rc.conf' ) >> >> to configure the settings from ipnat.conf, run "ipnat -C -f >> /etc/ipnat.conf" >> >> regards, >> >> usleep >> >>> >>> >> > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: nat and ipfw, port forwarding
thank you, usleep (nice name)i somehow made it work by 1. add "redirect_port udp 10.0.0.200:5 5" in natd.conf 2. allow all traffic and diversion in ipfw.rules i tried to limit the traffic by modifying the rules in ipfw.rules, but unsuccessfully. so i just leave it be at this moment. i am very confused by the roles of natd and ipfw, and how they should work together. rich On Sat, Dec 27, 2008 at 8:40 AM, wrote: > Hi Ricard, > > On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang wrote: > >> hi, >> i have a ssh machine behind a freebsd firewall with nat and ipfw. >> how do i make port forwarding so internet can access the ssh machine? >> thanx >> > > i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this is > a example definition: > rdr em1 0.0.0.0/0 port 2223 -> 192.168.1.96 port 22 > > ( this redirects incoming traffic on outside-interface em1 port 2223 to an > internal machine on port 22 ) > > also, include "firewall_nat_enable" in your rc.conf ( read 'man rc.conf' ) > > to configure the settings from ipnat.conf, run "ipnat -C -f > /etc/ipnat.conf" > > regards, > > usleep > >> >> > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: nat and ipfw, port forwarding
Hi Ricard, On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang wrote: > hi, > i have a ssh machine behind a freebsd firewall with nat and ipfw. > how do i make port forwarding so internet can access the ssh machine? > thanx > i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this is a example definition: rdr em1 0.0.0.0/0 port 2223 -> 192.168.1.96 port 22 ( this redirects incoming traffic on outside-interface em1 port 2223 to an internal machine on port 22 ) also, include "firewall_nat_enable" in your rc.conf ( read 'man rc.conf' ) to configure the settings from ipnat.conf, run "ipnat -C -f /etc/ipnat.conf" regards, usleep > -- > > Best Regards > > Richard Yang > richardy...@richardyang.net > kusanagiy...@gmail.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: nat and ipfw, port forwarding
"Richard Yang" writes: > i have a ssh machine behind a freebsd firewall with nat and ipfw. > how do i make port forwarding so internet can access the ssh machine? Use 'redirect_port' with natd(8). This is extensively documented in the Handbook: http://www.freebsd.org/doc/en/books/handbook/network-natd.html -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
nat and ipfw, port forwarding
hi, i have a ssh machine behind a freebsd firewall with nat and ipfw. how do i make port forwarding so internet can access the ssh machine? thanx -- Best Regards Richard Yang richardy...@richardyang.net kusanagiy...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: NAT and IPFW rules
Hello Friend First I agree with you the FBSD handbook documentation on firewall software sucks big time. It leads the reader into believing that ipfw is the only solution when it is not. FBSD is delivered with ipfw and IPFILTER which are both firewall software applications. The second thing that the sparse ipfw documentation falls to say, is an firewall that does not use stateful rules is not very secure. The real show stopper is ipfw with stateful rules using the 'keep state' option does not work when used with the divert/nated legacy sub-routine. What this means is ipfw with stateful rules can only be used if 'user ppp -nat' is how you connect to the public internet. IPFILTER 's stateful rules work fine, and it has it's own external ipnat function. I strongly recommend you drop ipfw and instead use IPFILTER as it's the superior firewall software solution from the ease of use of stateful rules. If you use 'user ppp" to connect to the public internet and want to continue to use ipfw, I have ipfw stateful rule set I can send you. If you want to use IPFILTER, I can sent of an rule set for it also along with links to doc sites. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eugene Panchenko Sent: Sunday, February 01, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: NAT and IPFW rules Hallo! Out from reading the manpage for natd, I have a question about how to restrict IPFW access for NAT for the case when I have one computer connected directly to another one (having two NICs installed into it)? That means that I don't have to care about big private network, but rather want to narrow down the access to single private IP address. For NAT to work, two rules need to be added: ipfw add divert natd all from any to any via xl0 Can this rule be restricted (is it possible to divert not every packets)? Right now, every packet that enters/leaves the system is diverted, sometimes natd process eats quite a lot of processor resources. Can this be avoided? How? ipfw add pass all from any to any How can this be restricted? I basically need only outgoing stuff working, that's all, and silently passing any packets from whatever location to any destination is insecure to me. Can someone post a live examples of such setup? Waiting to hear from some gurus ;) -- Eugene - Размер почтовых ящиков увеличен до 25 мегабайт! ПОЧТА НГС - http://ngs.ru/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
NAT and IPFW rules
Hallo! Out from reading the manpage for natd, I have a question about how to restrict IPFW access for NAT for the case when I have one computer connected directly to another one (having two NICs installed into it)? That means that I don't have to care about big private network, but rather want to narrow down the access to single private IP address. For NAT to work, two rules need to be added: ipfw add divert natd all from any to any via xl0 Can this rule be restricted (is it possible to divert not every packets)? Right now, every packet that enters/leaves the system is diverted, sometimes natd process eats quite a lot of processor resources. Can this be avoided? How? ipfw add pass all from any to any How can this be restricted? I basically need only outgoing stuff working, that's all, and silently passing any packets from whatever location to any destination is insecure to me. Can someone post a live examples of such setup? Waiting to hear from some gurus ;) -- Eugene - Размер почтовых ящиков увеличен до 25 мегабайт! ПОЧТА НГС - http://ngs.ru/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and ipfw
On Friday, October 24, 2003, at 02:35 AM, Alhagie Puye wrote: Do you have a natd.conf file? What does your rc.conf file look like? You have to turn on nat for the packets to be translated. Telling the firewall to send the packets to natd is one thing, what the happens to them after that is another. You ARE missing the setup for natd. Check this out: http://www.freebsddiary.org/ipfw.php Please read this link. I sent you something similar in my previous reply. And you are still asking the same question. It is very self-explanatory. yes, I have read that link. i have followed the instructions very carefully. i do have the setup for natd. i have checked and re-checked all my configurations. i have been working with a security engineer who set up our ipfw rules and he has also checked and rechecked the natd and ipfw configuration and rules. i have included both my /etc/natd.conf files and /etc/rc.conf files below. i have also added option IPDIVERT to the kernel and rebuilt the kernel. i'm sorry if my last e-mail was not clear, but this is not the same question because i am now asking why i am able to get out from a client on the subnet with ip 192.168.53.200 when i open up the ipfw rules to allow everything, but am not able to get out when i specify in the ip rules to allow all traffic in and out only for ip 192.168.53.200. if natd was not working properly, how could i get to the outside world from the client using 192.168.53.200 since 192 addresses are not routable outside of our network? with the below rule i can get to websites, ssh, and telnet from a client on the subnet to the outside world: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow from any to any but when i flush the rules and add the following giving access specifically to 192.168.53.200, i can no longer access websites, ssh, or telnet to the outside world: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from 192.168.53.200 to any ipfw add 300 allow all from any to 192.168.53.200 if the first set of ipfw rules is not a way to check that natd is working, please let me know a better way. if there is any other information i need to provide, please let me know. here are the natd.conf and rc.conf files: /etc/natd.conf: interface fxp0 use_sockets yes same_ports yes /etc/rc.conf file: defaultrouter="64.x.x.x" hostname="domain.com" ifconfig_fxp0="inet 64.x.x.x netmask 255.255.255.248" ifconfig_xl0="inet 192.168.53.1 netmask 255.255.255.0" inetd_enable="NO" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" nfs_client_enable="NO" nfs_reserved_port_only="YES" sendmail_enable="NO" sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" usbd_enable="YES" start_vinum="YES" portmap_enable="NO" nfs_server_enable="NO" nfs_client_enable="NO" # syslog stuff syslogd_enable="YES" syslogd_flags="-ss" # process accounting (lastcomm) accounting_enable="YES" # nuke /tmp/* on boot clear_tmp_enable="YES" # don't clobber /etc/motd with default message update_motd="NO" #NATD Stuff natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" gateway_enable="YES" # firewall stuff firewall_enable="YES" firewall_script="/etc/ipfw.conf" firewall_logging="YES" icmp_drop_redirect="YES" #ntp stuff xntpd_enable="YES" xntpd_flags="-g -p /var/run/ntpd.pid" #bind stuff named_enable="YES" named_flags="-u bind -g bind -t /etc/namedb/sandbox" #DHCP stuff ifconfig_xl0="DHCP" Cheers, Alhagie. --- Michelle <[EMAIL PROTECTED]> wrote: i have a freebsd server running 4.6.2 with 2 nic cards installed one for our lan (fxp0) that provides connection to the outside world via dsl and the other for an internal subnet (xl0). i have both natd and ipfw configured and running. when on the subnet, i can not connect to the outside. i tried flushing the firewall rules and adding only: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from any to any i am then able to connect from a client on the subnet to an outside ip address. then i tried flushing the rules again and adding: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from 192.168.53.200 to any ipfw add 300 allow all from any to 192.168.53.200 i don't understand why the above rules would stop the client on the subnet from making a connection to the outside. is there another rule i need to add? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: nat and ipfw
Do you have a natd.conf file? What does your rc.conf file look like? You have to turn on nat for the packets to be translated. Telling the firewall to send the packets to natd is one thing, what the happens to them after that is another. You ARE missing the setup for natd. Check this out: http://www.freebsddiary.org/ipfw.php Please read this link. I sent you something similar in my previous reply. And you are still asking the same question. It is very self-explanatory. Cheers, Alhagie. --- Michelle <[EMAIL PROTECTED]> wrote: > i have a freebsd server running 4.6.2 with 2 nic > cards installed one > for our lan (fxp0) that provides connection to the > outside world via > dsl and the other for an internal subnet (xl0). i > have both natd and > ipfw configured and running. when on the subnet, i > can not connect to > the outside. i tried flushing the firewall rules > and adding only: > > ipfw add 100 divert natd all from any to any via > fxp0 > ipfw add 200 allow all from any to any > > i am then able to connect from a client on the > subnet to an outside ip > address. > > then i tried flushing the rules again and adding: > > ipfw add 100 divert natd all from any to any via > fxp0 > ipfw add 200 allow all from 192.168.53.200 to any > ipfw add 300 allow all from any to 192.168.53.200 > > i don't understand why the above rules would stop > the client on the > subnet from making a connection to the outside. is > there another rule > i need to add? > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
nat and ipfw
i have a freebsd server running 4.6.2 with 2 nic cards installed one for our lan (fxp0) that provides connection to the outside world via dsl and the other for an internal subnet (xl0). i have both natd and ipfw configured and running. when on the subnet, i can not connect to the outside. i tried flushing the firewall rules and adding only: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from any to any i am then able to connect from a client on the subnet to an outside ip address. then i tried flushing the rules again and adding: ipfw add 100 divert natd all from any to any via fxp0 ipfw add 200 allow all from 192.168.53.200 to any ipfw add 300 allow all from any to 192.168.53.200 i don't understand why the above rules would stop the client on the subnet from making a connection to the outside. is there another rule i need to add? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"