ipfw3

nans_nans1 at yahoo.de nans_nans1 at yahoo.de
Tue Jun 23 06:36:19 PDT 2015


now i write a small script:

kldload ipfw3_nat
ipfw3 add allow all
ipfw3 nat 1 config if bnx1
ipfw3 add nat 1 tcp via bnx1


But nat/firewalling still dont work.

Any more suggestions?


--------------------------------------------
bycn82 <bycn82 at gmail.com> schrieb am Di, 23.6.2015:

 Betreff: Re: ipfw3
 An: nans_nans1 at yahoo.de
 CC: "users at dragonflybsd.org" <users at dragonflybsd.org>
 Datum: Dienstag, 23. Juni, 2015 02:46 Uhr
 
 you can write
 a script to load the modules and firewall rules
 first.
 On 22 June 2015 at 23:39, 
 <nans_nans1 at yahoo.de>
 wrote:
 yes, you are right: There is no
 traffic out via bnx1.
 
 It's for a business company. So no teamviewer is
 possible.
 
 
 
 Is there anything else what could be wrong, maybe in
 rc.conf?
 
 What about natd_enable ?
 
 
 
 --------------------------------------------
 
 bycn82 <bycn82 at gmail.com>
 schrieb am Mo, 22.6.2015:
 
 
 
  Betreff: Re: ipfw3
 
  An: nans_nans1 at yahoo.de
 
  CC: "users at dragonflybsd.org"
 <users at dragonflybsd.org>
 
  Datum: Montag, 22. Juni, 2015 17:27 Uhr
 
 
 
  ​yes,
 
  if you are
 
  using the latest Dragonfly​BSD source,then you can
 
  print the NAT records like
 "ip show nat
 
  translation" on cisco routers. 
 
  On 22 June 2015 at 23:22,
 
  <nans_nans1 at yahoo.de>
 
  wrote:
 
  That is a
 
  good question. Is "tcpdump -nettti bnx1" the
 right
 
  command to verify this?
 
 
 
 
 
 
 
  --------------------------------------------
 
 
 
  bycn82 <bycn82 at gmail.com>
 
  schrieb am Mo, 22.6.2015:
 
 
 
 
 
 
 
   Betreff: Re: ipfw3
 
 
 
   An: nans_nans1 at yahoo.de
 
 
 
   Datum: Montag, 22. Juni, 2015 17:11 Uhr
 
 
 
 
 
 
 
   but do you
 
 
 
   have any traffic go out via bnx1 ?​
 
 
 
   On 22 June 2015 at 23:08,
 
 
 
   <nans_nans1 at yahoo.de>
 
 
 
   wrote:
 
 
 
   ok. i try it on another machine with
 
 
 
   4.3 and without the options in kernel config. The
 result
 
  is
 
 
 
   the same.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   Some data:
 
 
 
 
 
 
 
   Internal NIC: bnx0, 192.168.100.188/24
 
 
 
 
 
 
 
   External NIC: bnx1, 192.168.10.229/24
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   rc.conf:
 
 
 
 
 
 
 
   gateway_enable="YES"
 
 
 
 
 
 
 
   defaultrouter="192.168.10.200"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   Then:
 
 
 
 
 
 
 
   kldload ipfw3_nat
 
 
 
 
 
 
 
   ipfw3 nat 1 config if bnx1
 
 
 
 
 
 
 
   ipfw3 add nat 1 tcp via bnx1
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   The outputs:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   kldstat:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   kernel
 
 
 
 
 
 
 
   acpi.ko
 
 
 
 
 
 
 
   ehci.ko
 
 
 
 
 
 
 
   xhci.ko
 
 
 
 
 
 
 
   ipfw3_nat.ko
 
 
 
 
 
 
 
   ipfw3_basic.ko
 
 
 
 
 
 
 
   ipfw3.ko
 
 
 
 
 
 
 
   libalias.ko
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   ipfw3 show:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   00100   0   0   nat 1 tcp via bnx1
 
 
 
 
 
 
 
   65535  699  51067  deny
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   ipfw3 nat show config:
 
 
 
 
 
 
 
   ipfw nat 1 config if bnx1
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   Is something wrong?
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   --------------------------------------------
 
 
 
 
 
 
 
   bycn82 <bycn82 at gmail.com>
 
 
 
   schrieb am Mo, 22.6.2015:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    Betreff: Re: ipfw3
 
 
 
 
 
 
 
    An: nans_nans1 at yahoo.de
 
 
 
 
 
 
 
    CC: "users at dragonflybsd.org"
 
 
 
   <users at dragonflybsd.org>
 
 
 
 
 
 
 
    Datum: Montag, 22.
 
 
 
   Juni, 2015 15:33 Uhr
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    ​your rules
 
 
 
 
 
 
 
    are correct.and you
 
 
 
 
 
 
 
    don't need to add the
 
 
 
   options in kernel config file,
 
 
 
 
 
 
 
    that belongs to ​IPFW
 
 
 
 
 
 
 
    please provide
 
 
 
 
 
 
 
    output of below commands:1.
 
 
 
 
 
 
 
    kldstat2. ipfw3
 
 
 
 
 
 
 
    show3. ipfw3 nat
 
 
 
 
 
 
 
    show config
 
 
 
 
 
 
 
    On 22 June 2015 at 21:08,
 
 
 
 
 
 
 
    <nans_nans1 at yahoo.de>
 
 
 
 
 
 
 
    wrote:
 
 
 
 
 
 
 
    Sorry,
 
 
 
 
 
 
 
    but this dont work.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    My external nic is ue0 and my internal nic is em0.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    I run 4.3 and a kernel with the following options:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    options IPFIREWALL
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    options IPDIVERT
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    options IPFIREWALL_DEFAULT_TO_ACCEPT
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    options IPFIREWALL_VERBOSE
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    What i do:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    In /etc/rc.conf: gateway_enable="YES"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    Then:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    kldload ipfw3_nat
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    ipfw3 nat 1 config if ue0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    ipfw3 add nat 1 tcp via ue0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    The result is that NAT don't work.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    What is wrong with my configuration? Have i
 forgotten
 
 
 
 
 
 
 
    something?
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    --------------------------------------------
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    bycn82 <bycn82 at gmail.com>
 
 
 
 
 
 
 
    schrieb am Mo, 22.6.2015:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     Betreff: Re: ipfw3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     An: nans_nans1 at yahoo.de
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     CC: "users at dragonflybsd.org"
 
 
 
 
 
 
 
    <users at dragonflybsd.org>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     Datum: Montag, 22. Juni, 2015 01:47 Uhr
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     hi,
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     sorry for
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     lacking of documentation. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     below are
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     sample steps to use in-kernel NAT with ipfw3.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     Step1:  make
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     sure the ipfw3_nat module was loaded
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     dev03#kldstat | grep
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     ipfw3_nat 5    1 0xffffffff83242000
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     3000     ipfw3_nat.ko
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     if the modules was not loaded,
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     then below command to load the kernel module
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     dev03#kldload
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     ipfw3_nat
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     Step2: prepare
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     NAT config
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     dev03#ipfw3 nat 1 config
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     if em0ipfw nat
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     1 config if em0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     which
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     means it will do MASQUERADE using interface
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     em0.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     Step3: NAT the
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     traffic.  NAT is just ip translate. so both
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     direction should go through the same NAT
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     config.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     dev03#ipfw3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     add nat 1 tcp via em0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     this means both in and out traffic
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     on interface em0 will be filtered/ translated by
 
  NAT
 
 
 
 
 
 
 
    config
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     id 1.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     hope this helps, please try it and
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     if you have any question, just let me know, and
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     if you can help to come up with an tutorial by
 
 
 
 
 
 
 
    rephrasing
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     this and append with your experience, that would
 be
 
 
 
 
 
 
 
    very
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     helpful.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     http://www.dragonflybsd.org/docs/ipfw2/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     is an wiki, there is a "edit page"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     link. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     regards,bycn82
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     On 22 June 2015 at 02:31,
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     <nans_nans1 at yahoo.de>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     wrote:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     Can
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     someone give me detailed/complete instructions
 how
 
  to
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     realize simple working nat with ipfw3 (including
 
 
 
   rc.conf
 
 
 
 
 
 
 
    and
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     configuration files).
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     The informations on these sites turns out to be
 
  sadly
 
 
 
 
 
 
 
    sparse
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     for me:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     https://www.dragonflybsd.org/docs/ipfw2/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
     http://www.dragonflybsd.org/docs/ipfw2/modules/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




More information about the Users mailing list