ipfw3

bycn82 bycn82 at gmail.com
Mon Jun 22 08:27:08 PDT 2015


​yes,

if you are using the latest Dragonfly​BSD source,
then you can print the NAT records like "ip show nat translation" on cisco
routers.

On 22 June 2015 at 23:22, <nans_nans1 at yahoo.de> wrote:

> That is a good question. Is "tcpdump -nettti bnx1" the right command to
> verify this?
>
> --------------------------------------------
> bycn82 <bycn82 at gmail.com> schrieb am Mo, 22.6.2015:
>
>  Betreff: Re: ipfw3
>  An: nans_nans1 at yahoo.de
>  Datum: Montag, 22. Juni, 2015 17:11 Uhr
>
>  but do you
>  have any traffic go out via bnx1 ?​
>  On 22 June 2015 at 23:08,
>  <nans_nans1 at yahoo.de>
>  wrote:
>  ok. i try it on another machine with
>  4.3 and without the options in kernel config. The result is
>  the same.
>
>
>
>  Some data:
>
>  Internal NIC: bnx0, 192.168.100.188/24
>
>  External NIC: bnx1, 192.168.10.229/24
>
>
>
>  rc.conf:
>
>  gateway_enable="YES"
>
>  defaultrouter="192.168.10.200"
>
>
>
>  Then:
>
>  kldload ipfw3_nat
>
>  ipfw3 nat 1 config if bnx1
>
>  ipfw3 add nat 1 tcp via bnx1
>
>
>
>  The outputs:
>
>
>
>  kldstat:
>
>
>
>  kernel
>
>  acpi.ko
>
>  ehci.ko
>
>  xhci.ko
>
>  ipfw3_nat.ko
>
>  ipfw3_basic.ko
>
>  ipfw3.ko
>
>  libalias.ko
>
>
>
>  ipfw3 show:
>
>
>
>  00100   0   0   nat 1 tcp via bnx1
>
>  65535  699  51067  deny
>
>
>
>  ipfw3 nat show config:
>
>  ipfw nat 1 config if bnx1
>
>
>
>
>
>
>
>  Is something wrong?
>
>
>
>
>
>
>
>  --------------------------------------------
>
>  bycn82 <bycn82 at gmail.com>
>  schrieb am Mo, 22.6.2015:
>
>
>
>   Betreff: Re: ipfw3
>
>   An: nans_nans1 at yahoo.de
>
>   CC: "users at dragonflybsd.org"
>  <users at dragonflybsd.org>
>
>   Datum: Montag, 22.
>  Juni, 2015 15:33 Uhr
>
>
>
>   ​your rules
>
>   are correct.and you
>
>   don't need to add the
>  options in kernel config file,
>
>   that belongs to ​IPFW
>
>   please provide
>
>   output of below commands:1.
>
>   kldstat2. ipfw3
>
>   show3. ipfw3 nat
>
>   show config
>
>   On 22 June 2015 at 21:08,
>
>   <nans_nans1 at yahoo.de>
>
>   wrote:
>
>   Sorry,
>
>   but this dont work.
>
>
>
>   My external nic is ue0 and my internal nic is em0.
>
>
>
>
>
>
>
>   I run 4.3 and a kernel with the following options:
>
>
>
>
>
>
>
>   options IPFIREWALL
>
>
>
>   options IPDIVERT
>
>
>
>   options IPFIREWALL_DEFAULT_TO_ACCEPT
>
>
>
>   options IPFIREWALL_VERBOSE
>
>
>
>
>
>
>
>   What i do:
>
>
>
>   In /etc/rc.conf: gateway_enable="YES"
>
>
>
>
>
>
>
>   Then:
>
>
>
>   kldload ipfw3_nat
>
>
>
>   ipfw3 nat 1 config if ue0
>
>
>
>   ipfw3 add nat 1 tcp via ue0
>
>
>
>
>
>
>
>   The result is that NAT don't work.
>
>
>
>
>
>
>
>   What is wrong with my configuration? Have i forgotten
>
>   something?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   --------------------------------------------
>
>
>
>   bycn82 <bycn82 at gmail.com>
>
>   schrieb am Mo, 22.6.2015:
>
>
>
>
>
>
>
>    Betreff: Re: ipfw3
>
>
>
>    An: nans_nans1 at yahoo.de
>
>
>
>    CC: "users at dragonflybsd.org"
>
>   <users at dragonflybsd.org>
>
>
>
>    Datum: Montag, 22. Juni, 2015 01:47 Uhr
>
>
>
>
>
>
>
>    hi,
>
>
>
>    sorry for
>
>
>
>    lacking of documentation.
>
>
>
>
>
>
>
>    below are
>
>
>
>    sample steps to use in-kernel NAT with ipfw3.
>
>
>
>    Step1:  make
>
>
>
>    sure the ipfw3_nat module was loaded
>
>
>
>    dev03#kldstat | grep
>
>
>
>    ipfw3_nat 5    1 0xffffffff83242000
>
>
>
>    3000     ipfw3_nat.ko
>
>
>
>    if the modules was not loaded,
>
>
>
>    then below command to load the kernel module
>
>
>
>    dev03#kldload
>
>
>
>    ipfw3_nat
>
>
>
>
>
>
>
>    Step2: prepare
>
>
>
>    NAT config
>
>
>
>    dev03#ipfw3 nat 1 config
>
>
>
>    if em0ipfw nat
>
>
>
>    1 config if em0
>
>
>
>    which
>
>
>
>    means it will do MASQUERADE using interface
>
>
>
>    em0.
>
>
>
>    Step3: NAT the
>
>
>
>    traffic.  NAT is just ip translate. so both
>
>
>
>    direction should go through the same NAT
>
>
>
>    config.
>
>
>
>    dev03#ipfw3
>
>
>
>    add nat 1 tcp via em0
>
>
>
>
>
>
>
>    this means both in and out traffic
>
>
>
>    on interface em0 will be filtered/ translated by NAT
>
>   config
>
>
>
>    id 1.
>
>
>
>
>
>
>
>    hope this helps, please try it and
>
>
>
>    if you have any question, just let me know, and
>
>
>
>    if you can help to come up with an tutorial by
>
>   rephrasing
>
>
>
>    this and append with your experience, that would be
>
>   very
>
>
>
>    helpful.
>
>
>
>    http://www.dragonflybsd.org/docs/ipfw2/
>
>
>
>    is an wiki, there is a "edit page"
>
>
>
>    link.
>
>
>
>    regards,bycn82
>
>
>
>    On 22 June 2015 at 02:31,
>
>
>
>    <nans_nans1 at yahoo.de>
>
>
>
>    wrote:
>
>
>
>    Can
>
>
>
>    someone give me detailed/complete instructions how to
>
>
>
>    realize simple working nat with ipfw3 (including
>  rc.conf
>
>   and
>
>
>
>    configuration files).
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>    The informations on these sites turns out to be sadly
>
>   sparse
>
>
>
>    for me:
>
>
>
>
>
>
>
>    https://www.dragonflybsd.org/docs/ipfw2/
>
>
>
>
>
>
>
>    http://www.dragonflybsd.org/docs/ipfw2/modules/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150622/516b0655/attachment-0001.html>


More information about the Users mailing list