ipfw3
nans_nans1 at yahoo.de
nans_nans1 at yahoo.de
Thu Jun 25 02:20:01 PDT 2015
Thank you very much.
I need still two things:
1. Open a specific port, for example (port 53 - DNS-Server):
add allow udp from 24.226.1.20 53 to any in recv bnx0
How can realize this?
2. Allow all on lo0, for example:
add allow all from any to any via lo0
How can i realize this?
--------------------------------------------
bycn82 <bycn82 at gmail.com> schrieb am Do, 25.6.2015:
Betreff: Re: ipfw3
An: "nans_nans1 at yahoo.de" <nans_nans1 at yahoo.de>
CC: "users at dragonflybsd.org" <users at dragonflybsd.org>
Datum: Donnerstag, 25. Juni, 2015 04:17 Uhr
hi
nans,
it is a good
example for nat in ipfw. and sure it is safe to
use it.
thanks for
sharing your experience.
regards,bycn82
On Wednesday, June 24, 2015,
<nans_nans1 at yahoo.de>
wrote:
Now it
works! The mistake was a misconfigured DNS!
For a working NAT/Firewall i do finally the following steps
(INT-NIC: bnx0, OUT-NIC:bnx1):
1. Configure a kernel with
"IPFIREWALL_DEFAULT_TO_ACCEPT" option.
2. Add "gateway_enable="YES" " in
/etc/rc.conf.
3. Make a simple NAT/Firewall-Script:
___
#!/bin/sh
kldload ipfw3_nat
kldload ipfw3_layer4
ipfw3 flush
ipfw3 add allow all via bnx0
ipfw3 nat 1 config if bnx1
ipfw3 add nat 1 all via bnx1
ipfw3 add check-state
ipfw3 add allow all established
ipfw3 add allow all out via bnx1 keep-state
ipfw3 add deny all
___
Is this a good script for effective NAT (fast throughput)
and a safe firewall (all out - nothing in) for home or small
office? Any suggestions?
--------------------------------------------
bycn82 <bycn82 at gmail.com> schrieb am Di,
23.6.2015:
Betreff: Re: ipfw3
An: nans_nans1 at yahoo.de
CC: "users at dragonflybsd.org" <users at dragonflybsd.org>
Datum: Dienstag, 23. Juni, 2015 18:53 Uhr
what is the
result?
line 100 allow
allline 200 nat 1
tcp via xxx
sure it doesnt
work
On 23 June 2015 at 21:36,
<nans_nans1 at yahoo.de>
wrote:
now i
write a small script:
kldload ipfw3_nat
ipfw3 add allow all
ipfw3 nat 1 config if bnx1
ipfw3 add nat 1 tcp via bnx1
But nat/firewalling still dont work.
Any more suggestions?
--------------------------------------------
bycn82 <bycn82 at gmail.com>
schrieb am Di, 23.6.2015:
Betreff: Re: ipfw3
An: nans_nans1 at yahoo.de
CC: "users at dragonflybsd.org"
<users at dragonflybsd.org>
Datum: Dienstag, 23. Juni, 2015 02:46 Uhr
you can write
a script to load the modules and firewall rules
first.
On 22 June 2015 at 23:39,
<nans_nans1 at yahoo.de>
wrote:
yes, you are right: There is no
traffic out via bnx1.
It's for a business company. So no teamviewer is
possible.
Is there anything else what could be wrong, maybe in
rc.conf?
What about natd_enable ?
--------------------------------------------
bycn82 <bycn82 at gmail.com>
schrieb am Mo, 22.6.2015:
Betreff: Re: ipfw3
An: nans_nans1 at yahoo.de
CC: "users at dragonflybsd.org"
<users at dragonflybsd.org>
Datum: Montag, 22. Juni, 2015 17:27 Uhr
yes,
if you are
using the latest DragonflyBSD source,then you
can
print the NAT records like
"ip show nat
translation" on cisco routers.
On 22 June 2015 at 23:22,
<nans_nans1 at yahoo.de>
wrote:
That is a
good question. Is "tcpdump -nettti bnx1"
the
right
command to verify this?
--------------------------------------------
bycn82 <bycn82 at gmail.com>
schrieb am Mo, 22.6.2015:
Betreff: Re: ipfw3
An: nans_nans1 at yahoo.de
Datum: Montag, 22. Juni, 2015 17:11 Uhr
but do you
have any traffic go out via bnx1 ?
On 22 June 2015 at 23:08,
<nans_nans1 at yahoo.de>
wrote:
ok. i try it on another machine with
4.3 and without the options in kernel config. The
result
is
the same.
Some data:
Internal NIC: bnx0, 192.168.100.188/24
External NIC: bnx1, 192.168.10.229/24
rc.conf:
gateway_enable="YES"
defaultrouter="192.168.10.200"
Then:
kldload ipfw3_nat
ipfw3 nat 1 config if bnx1
ipfw3 add nat 1 tcp via bnx1
The outputs:
kldstat:
kernel
acpi.ko
ehci.ko
xhci.ko
ipfw3_nat.ko
ipfw3_basic.ko
ipfw3.ko
libalias.ko
ipfw3 show:
00100 0 0 nat 1 tcp via bnx1
65535 699 51067 deny
ipfw3 nat show config:
ipfw nat 1 config if bnx1
Is something wrong?
--------------------------------------------
bycn82 <bycn82 at gmail.com>
schrieb am Mo, 22.6.2015:
Betreff: Re: ipfw3
An: nans_nans1 at yahoo.de
CC: "users at dragonflybsd.org"
<users at dragonflybsd.org>
Datum: Montag, 22.
Juni, 2015 15:33 Uhr
your rules
are correct.and you
don't need to add the
options in kernel config file,
that belongs to IPFW
please provide
output of below commands:1.
kldstat2. ipfw3
show3. ipfw3 nat
show config
On 22 June 2015 at 21:08,
<nans_nans1 at yahoo.de>
wrote:
Sorry,
but this dont work.
My external nic is ue0 and my internal nic is
em0.
I run 4.3 and a kernel with the following
options:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
What i do:
In /etc/rc.conf: gateway_enable="YES"
Then:
kldload ipfw3_nat
ipfw3 nat 1 config if ue0
ipfw3 add nat 1 tcp via ue0
The result is that NAT don't work.
What is wrong with my configuration? Have i
forgotten
something?
--------------------------------------------
bycn82 <bycn82 at gmail.com>
schrieb am Mo, 22.6.2015:
Betreff: Re: ipfw3
An: nans_nans1 at yahoo.de
CC: "users at dragonflybsd.org"
<users at dragonflybsd.org>
Datum: Montag, 22. Juni, 2015 01:47 Uhr
hi,
sorry for
lacking of documentation.
below are
sample steps to use in-kernel NAT with ipfw3.
Step1: make
sure the ipfw3_nat module was loaded
dev03#kldstat | grep
ipfw3_nat 5 1 0xffffffff83242000
3000 ipfw3_nat.ko
if the modules was not loaded,
then below command to load the kernel module
dev03#kldload
ipfw3_nat
Step2: prepare
NAT config
dev03#ipfw3 nat 1 config
if em0ipfw nat
1 config if em0
which
means it will do MASQUERADE using interface
em0.
Step3: NAT the
traffic. NAT is just ip translate. so both
direction should go through the same NAT
config.
dev03#ipfw3
add nat 1 tcp via em0
this means both in and out traffic
on interface em0 will be filtered/ translated
by
NAT
config
id 1.
hope this helps, please try it and
if you have any question, just let me
know, and
if you can help to come up with an tutorial
by
rephrasing
this and append with your experience, that
would
be
very
helpful.
http://www.dragonflybsd.org/docs/ipfw2/
is an wiki, there is a "edit page"
link.
regards,bycn82
On 22 June 2015 at 02:31,
<nans_nans1 at yahoo.de>
wrote:
Can
someone give me detailed/complete
instructions
how
to
realize simple working nat with ipfw3
(including
rc.conf
and
configuration files).
The informations on these sites turns out to
be
sadly
sparse
for me:
https://www.dragonflybsd.org/docs/ipfw2/
http://www.dragonflybsd.org/docs/ipfw2/modules/
More information about the Users
mailing list