ipfw3

nans_nans1 at yahoo.de nans_nans1 at yahoo.de
Mon Jun 22 08:22:00 PDT 2015


That is a good question. Is "tcpdump -nettti bnx1" the right command to verify this?

--------------------------------------------
bycn82 <bycn82 at gmail.com> schrieb am Mo, 22.6.2015:

 Betreff: Re: ipfw3
 An: nans_nans1 at yahoo.de
 Datum: Montag, 22. Juni, 2015 17:11 Uhr
 
 but do you
 have any traffic go out via bnx1 ?​
 On 22 June 2015 at 23:08, 
 <nans_nans1 at yahoo.de>
 wrote:
 ok. i try it on another machine with
 4.3 and without the options in kernel config. The result is
 the same.
 
 
 
 Some data:
 
 Internal NIC: bnx0, 192.168.100.188/24
 
 External NIC: bnx1, 192.168.10.229/24
 
 
 
 rc.conf:
 
 gateway_enable="YES"
 
 defaultrouter="192.168.10.200"
 
 
 
 Then:
 
 kldload ipfw3_nat
 
 ipfw3 nat 1 config if bnx1
 
 ipfw3 add nat 1 tcp via bnx1
 
 
 
 The outputs:
 
 
 
 kldstat:
 
 
 
 kernel
 
 acpi.ko
 
 ehci.ko
 
 xhci.ko
 
 ipfw3_nat.ko
 
 ipfw3_basic.ko
 
 ipfw3.ko
 
 libalias.ko
 
 
 
 ipfw3 show:
 
 
 
 00100   0   0   nat 1 tcp via bnx1
 
 65535  699  51067  deny
 
 
 
 ipfw3 nat show config:
 
 ipfw nat 1 config if bnx1
 
 
 
 
 
 
 
 Is something wrong?
 
 
 
 
 
 
 
 --------------------------------------------
 
 bycn82 <bycn82 at gmail.com>
 schrieb am Mo, 22.6.2015:
 
 
 
  Betreff: Re: ipfw3
 
  An: nans_nans1 at yahoo.de
 
  CC: "users at dragonflybsd.org"
 <users at dragonflybsd.org>
 
  Datum: Montag, 22.
 Juni, 2015 15:33 Uhr
 
 
 
  ​your rules
 
  are correct.and you
 
  don't need to add the
 options in kernel config file,
 
  that belongs to ​IPFW
 
  please provide
 
  output of below commands:1.
 
  kldstat2. ipfw3
 
  show3. ipfw3 nat
 
  show config
 
  On 22 June 2015 at 21:08,
 
  <nans_nans1 at yahoo.de>
 
  wrote:
 
  Sorry,
 
  but this dont work.
 
 
 
  My external nic is ue0 and my internal nic is em0.
 
 
 
 
 
 
 
  I run 4.3 and a kernel with the following options:
 
 
 
 
 
 
 
  options IPFIREWALL
 
 
 
  options IPDIVERT
 
 
 
  options IPFIREWALL_DEFAULT_TO_ACCEPT
 
 
 
  options IPFIREWALL_VERBOSE
 
 
 
 
 
 
 
  What i do:
 
 
 
  In /etc/rc.conf: gateway_enable="YES"
 
 
 
 
 
 
 
  Then:
 
 
 
  kldload ipfw3_nat
 
 
 
  ipfw3 nat 1 config if ue0
 
 
 
  ipfw3 add nat 1 tcp via ue0
 
 
 
 
 
 
 
  The result is that NAT don't work.
 
 
 
 
 
 
 
  What is wrong with my configuration? Have i forgotten
 
  something?
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  --------------------------------------------
 
 
 
  bycn82 <bycn82 at gmail.com>
 
  schrieb am Mo, 22.6.2015:
 
 
 
 
 
 
 
   Betreff: Re: ipfw3
 
 
 
   An: nans_nans1 at yahoo.de
 
 
 
   CC: "users at dragonflybsd.org"
 
  <users at dragonflybsd.org>
 
 
 
   Datum: Montag, 22. Juni, 2015 01:47 Uhr
 
 
 
 
 
 
 
   hi,
 
 
 
   sorry for
 
 
 
   lacking of documentation. 
 
 
 
 
 
 
 
   below are
 
 
 
   sample steps to use in-kernel NAT with ipfw3.
 
 
 
   Step1:  make
 
 
 
   sure the ipfw3_nat module was loaded
 
 
 
   dev03#kldstat | grep
 
 
 
   ipfw3_nat 5    1 0xffffffff83242000
 
 
 
   3000     ipfw3_nat.ko
 
 
 
   if the modules was not loaded,
 
 
 
   then below command to load the kernel module
 
 
 
   dev03#kldload
 
 
 
   ipfw3_nat
 
 
 
 
 
 
 
   Step2: prepare
 
 
 
   NAT config
 
 
 
   dev03#ipfw3 nat 1 config
 
 
 
   if em0ipfw nat
 
 
 
   1 config if em0
 
 
 
   which
 
 
 
   means it will do MASQUERADE using interface
 
 
 
   em0.
 
 
 
   Step3: NAT the
 
 
 
   traffic.  NAT is just ip translate. so both
 
 
 
   direction should go through the same NAT
 
 
 
   config.
 
 
 
   dev03#ipfw3
 
 
 
   add nat 1 tcp via em0
 
 
 
 
 
 
 
   this means both in and out traffic
 
 
 
   on interface em0 will be filtered/ translated by NAT
 
  config
 
 
 
   id 1.
 
 
 
 
 
 
 
   hope this helps, please try it and
 
 
 
   if you have any question, just let me know, and
 
 
 
   if you can help to come up with an tutorial by
 
  rephrasing
 
 
 
   this and append with your experience, that would be
 
  very
 
 
 
   helpful.
 
 
 
   http://www.dragonflybsd.org/docs/ipfw2/
 
 
 
   is an wiki, there is a "edit page"
 
 
 
   link. 
 
 
 
   regards,bycn82
 
 
 
   On 22 June 2015 at 02:31,
 
 
 
   <nans_nans1 at yahoo.de>
 
 
 
   wrote:
 
 
 
   Can
 
 
 
   someone give me detailed/complete instructions how to
 
 
 
   realize simple working nat with ipfw3 (including
 rc.conf
 
  and
 
 
 
   configuration files).
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   The informations on these sites turns out to be sadly
 
  sparse
 
 
 
   for me:
 
 
 
 
 
 
 
   https://www.dragonflybsd.org/docs/ipfw2/
 
 
 
 
 
 
 
   http://www.dragonflybsd.org/docs/ipfw2/modules/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




More information about the Users mailing list