ipfw3

nans_nans1 at yahoo.de nans_nans1 at yahoo.de
Mon Jun 22 08:39:34 PDT 2015


yes, you are right: There is no traffic out via bnx1.
It's for a business company. So no teamviewer is possible.

Is there anything else what could be wrong, maybe in rc.conf?
What about natd_enable ?

--------------------------------------------
bycn82 <bycn82 at gmail.com> schrieb am Mo, 22.6.2015:

 Betreff: Re: ipfw3
 An: nans_nans1 at yahoo.de
 CC: "users at dragonflybsd.org" <users at dragonflybsd.org>
 Datum: Montag, 22. Juni, 2015 17:27 Uhr
 
 ​yes,
 if you are
 using the latest Dragonfly​BSD source,then you can
 print the NAT records like "ip show nat
 translation" on cisco routers. 
 On 22 June 2015 at 23:22, 
 <nans_nans1 at yahoo.de>
 wrote:
 That is a
 good question. Is "tcpdump -nettti bnx1" the right
 command to verify this?
 
 
 
 --------------------------------------------
 
 bycn82 <bycn82 at gmail.com>
 schrieb am Mo, 22.6.2015:
 
 
 
  Betreff: Re: ipfw3
 
  An: nans_nans1 at yahoo.de
 
  Datum: Montag, 22. Juni, 2015 17:11 Uhr
 
 
 
  but do you
 
  have any traffic go out via bnx1 ?​
 
  On 22 June 2015 at 23:08,
 
  <nans_nans1 at yahoo.de>
 
  wrote:
 
  ok. i try it on another machine with
 
  4.3 and without the options in kernel config. The result
 is
 
  the same.
 
 
 
 
 
 
 
  Some data:
 
 
 
  Internal NIC: bnx0, 192.168.100.188/24
 
 
 
  External NIC: bnx1, 192.168.10.229/24
 
 
 
 
 
 
 
  rc.conf:
 
 
 
  gateway_enable="YES"
 
 
 
  defaultrouter="192.168.10.200"
 
 
 
 
 
 
 
  Then:
 
 
 
  kldload ipfw3_nat
 
 
 
  ipfw3 nat 1 config if bnx1
 
 
 
  ipfw3 add nat 1 tcp via bnx1
 
 
 
 
 
 
 
  The outputs:
 
 
 
 
 
 
 
  kldstat:
 
 
 
 
 
 
 
  kernel
 
 
 
  acpi.ko
 
 
 
  ehci.ko
 
 
 
  xhci.ko
 
 
 
  ipfw3_nat.ko
 
 
 
  ipfw3_basic.ko
 
 
 
  ipfw3.ko
 
 
 
  libalias.ko
 
 
 
 
 
 
 
  ipfw3 show:
 
 
 
 
 
 
 
  00100   0   0   nat 1 tcp via bnx1
 
 
 
  65535  699  51067  deny
 
 
 
 
 
 
 
  ipfw3 nat show config:
 
 
 
  ipfw nat 1 config if bnx1
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  Is something wrong?
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  --------------------------------------------
 
 
 
  bycn82 <bycn82 at gmail.com>
 
  schrieb am Mo, 22.6.2015:
 
 
 
 
 
 
 
   Betreff: Re: ipfw3
 
 
 
   An: nans_nans1 at yahoo.de
 
 
 
   CC: "users at dragonflybsd.org"
 
  <users at dragonflybsd.org>
 
 
 
   Datum: Montag, 22.
 
  Juni, 2015 15:33 Uhr
 
 
 
 
 
 
 
   ​your rules
 
 
 
   are correct.and you
 
 
 
   don't need to add the
 
  options in kernel config file,
 
 
 
   that belongs to ​IPFW
 
 
 
   please provide
 
 
 
   output of below commands:1.
 
 
 
   kldstat2. ipfw3
 
 
 
   show3. ipfw3 nat
 
 
 
   show config
 
 
 
   On 22 June 2015 at 21:08,
 
 
 
   <nans_nans1 at yahoo.de>
 
 
 
   wrote:
 
 
 
   Sorry,
 
 
 
   but this dont work.
 
 
 
 
 
 
 
   My external nic is ue0 and my internal nic is em0.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   I run 4.3 and a kernel with the following options:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   options IPFIREWALL
 
 
 
 
 
 
 
   options IPDIVERT
 
 
 
 
 
 
 
   options IPFIREWALL_DEFAULT_TO_ACCEPT
 
 
 
 
 
 
 
   options IPFIREWALL_VERBOSE
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   What i do:
 
 
 
 
 
 
 
   In /etc/rc.conf: gateway_enable="YES"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   Then:
 
 
 
 
 
 
 
   kldload ipfw3_nat
 
 
 
 
 
 
 
   ipfw3 nat 1 config if ue0
 
 
 
 
 
 
 
   ipfw3 add nat 1 tcp via ue0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   The result is that NAT don't work.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   What is wrong with my configuration? Have i forgotten
 
 
 
   something?
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   --------------------------------------------
 
 
 
 
 
 
 
   bycn82 <bycn82 at gmail.com>
 
 
 
   schrieb am Mo, 22.6.2015:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    Betreff: Re: ipfw3
 
 
 
 
 
 
 
    An: nans_nans1 at yahoo.de
 
 
 
 
 
 
 
    CC: "users at dragonflybsd.org"
 
 
 
   <users at dragonflybsd.org>
 
 
 
 
 
 
 
    Datum: Montag, 22. Juni, 2015 01:47 Uhr
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    hi,
 
 
 
 
 
 
 
    sorry for
 
 
 
 
 
 
 
    lacking of documentation. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    below are
 
 
 
 
 
 
 
    sample steps to use in-kernel NAT with ipfw3.
 
 
 
 
 
 
 
    Step1:  make
 
 
 
 
 
 
 
    sure the ipfw3_nat module was loaded
 
 
 
 
 
 
 
    dev03#kldstat | grep
 
 
 
 
 
 
 
    ipfw3_nat 5    1 0xffffffff83242000
 
 
 
 
 
 
 
    3000     ipfw3_nat.ko
 
 
 
 
 
 
 
    if the modules was not loaded,
 
 
 
 
 
 
 
    then below command to load the kernel module
 
 
 
 
 
 
 
    dev03#kldload
 
 
 
 
 
 
 
    ipfw3_nat
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    Step2: prepare
 
 
 
 
 
 
 
    NAT config
 
 
 
 
 
 
 
    dev03#ipfw3 nat 1 config
 
 
 
 
 
 
 
    if em0ipfw nat
 
 
 
 
 
 
 
    1 config if em0
 
 
 
 
 
 
 
    which
 
 
 
 
 
 
 
    means it will do MASQUERADE using interface
 
 
 
 
 
 
 
    em0.
 
 
 
 
 
 
 
    Step3: NAT the
 
 
 
 
 
 
 
    traffic.  NAT is just ip translate. so both
 
 
 
 
 
 
 
    direction should go through the same NAT
 
 
 
 
 
 
 
    config.
 
 
 
 
 
 
 
    dev03#ipfw3
 
 
 
 
 
 
 
    add nat 1 tcp via em0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    this means both in and out traffic
 
 
 
 
 
 
 
    on interface em0 will be filtered/ translated by
 NAT
 
 
 
   config
 
 
 
 
 
 
 
    id 1.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    hope this helps, please try it and
 
 
 
 
 
 
 
    if you have any question, just let me know, and
 
 
 
 
 
 
 
    if you can help to come up with an tutorial by
 
 
 
   rephrasing
 
 
 
 
 
 
 
    this and append with your experience, that would be
 
 
 
   very
 
 
 
 
 
 
 
    helpful.
 
 
 
 
 
 
 
    http://www.dragonflybsd.org/docs/ipfw2/
 
 
 
 
 
 
 
    is an wiki, there is a "edit page"
 
 
 
 
 
 
 
    link. 
 
 
 
 
 
 
 
    regards,bycn82
 
 
 
 
 
 
 
    On 22 June 2015 at 02:31,
 
 
 
 
 
 
 
    <nans_nans1 at yahoo.de>
 
 
 
 
 
 
 
    wrote:
 
 
 
 
 
 
 
    Can
 
 
 
 
 
 
 
    someone give me detailed/complete instructions how
 to
 
 
 
 
 
 
 
    realize simple working nat with ipfw3 (including
 
  rc.conf
 
 
 
   and
 
 
 
 
 
 
 
    configuration files).
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    The informations on these sites turns out to be
 sadly
 
 
 
   sparse
 
 
 
 
 
 
 
    for me:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    https://www.dragonflybsd.org/docs/ipfw2/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    http://www.dragonflybsd.org/docs/ipfw2/modules/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




More information about the Users mailing list