ipfw3
bycn82
bycn82 at gmail.com
Tue Jun 23 09:53:05 PDT 2015
what is the result?
line 100 allow all
line 200 nat 1 tcp via xxx
sure it doesnt work
On 23 June 2015 at 21:36, <nans_nans1 at yahoo.de> wrote:
> now i write a small script:
>
> kldload ipfw3_nat
> ipfw3 add allow all
> ipfw3 nat 1 config if bnx1
> ipfw3 add nat 1 tcp via bnx1
>
>
> But nat/firewalling still dont work.
>
> Any more suggestions?
>
>
> --------------------------------------------
> bycn82 <bycn82 at gmail.com> schrieb am Di, 23.6.2015:
>
> Betreff: Re: ipfw3
> An: nans_nans1 at yahoo.de
> CC: "users at dragonflybsd.org" <users at dragonflybsd.org>
> Datum: Dienstag, 23. Juni, 2015 02:46 Uhr
>
> you can write
> a script to load the modules and firewall rules
> first.
> On 22 June 2015 at 23:39,
> <nans_nans1 at yahoo.de>
> wrote:
> yes, you are right: There is no
> traffic out via bnx1.
>
> It's for a business company. So no teamviewer is
> possible.
>
>
>
> Is there anything else what could be wrong, maybe in
> rc.conf?
>
> What about natd_enable ?
>
>
>
> --------------------------------------------
>
> bycn82 <bycn82 at gmail.com>
> schrieb am Mo, 22.6.2015:
>
>
>
> Betreff: Re: ipfw3
>
> An: nans_nans1 at yahoo.de
>
> CC: "users at dragonflybsd.org"
> <users at dragonflybsd.org>
>
> Datum: Montag, 22. Juni, 2015 17:27 Uhr
>
>
>
> yes,
>
> if you are
>
> using the latest DragonflyBSD source,then you can
>
> print the NAT records like
> "ip show nat
>
> translation" on cisco routers.
>
> On 22 June 2015 at 23:22,
>
> <nans_nans1 at yahoo.de>
>
> wrote:
>
> That is a
>
> good question. Is "tcpdump -nettti bnx1" the
> right
>
> command to verify this?
>
>
>
>
>
>
>
> --------------------------------------------
>
>
>
> bycn82 <bycn82 at gmail.com>
>
> schrieb am Mo, 22.6.2015:
>
>
>
>
>
>
>
> Betreff: Re: ipfw3
>
>
>
> An: nans_nans1 at yahoo.de
>
>
>
> Datum: Montag, 22. Juni, 2015 17:11 Uhr
>
>
>
>
>
>
>
> but do you
>
>
>
> have any traffic go out via bnx1 ?
>
>
>
> On 22 June 2015 at 23:08,
>
>
>
> <nans_nans1 at yahoo.de>
>
>
>
> wrote:
>
>
>
> ok. i try it on another machine with
>
>
>
> 4.3 and without the options in kernel config. The
> result
>
> is
>
>
>
> the same.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Some data:
>
>
>
>
>
>
>
> Internal NIC: bnx0, 192.168.100.188/24
>
>
>
>
>
>
>
> External NIC: bnx1, 192.168.10.229/24
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> rc.conf:
>
>
>
>
>
>
>
> gateway_enable="YES"
>
>
>
>
>
>
>
> defaultrouter="192.168.10.200"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Then:
>
>
>
>
>
>
>
> kldload ipfw3_nat
>
>
>
>
>
>
>
> ipfw3 nat 1 config if bnx1
>
>
>
>
>
>
>
> ipfw3 add nat 1 tcp via bnx1
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> The outputs:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> kldstat:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> kernel
>
>
>
>
>
>
>
> acpi.ko
>
>
>
>
>
>
>
> ehci.ko
>
>
>
>
>
>
>
> xhci.ko
>
>
>
>
>
>
>
> ipfw3_nat.ko
>
>
>
>
>
>
>
> ipfw3_basic.ko
>
>
>
>
>
>
>
> ipfw3.ko
>
>
>
>
>
>
>
> libalias.ko
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ipfw3 show:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> 00100 0 0 nat 1 tcp via bnx1
>
>
>
>
>
>
>
> 65535 699 51067 deny
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ipfw3 nat show config:
>
>
>
>
>
>
>
> ipfw nat 1 config if bnx1
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Is something wrong?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --------------------------------------------
>
>
>
>
>
>
>
> bycn82 <bycn82 at gmail.com>
>
>
>
> schrieb am Mo, 22.6.2015:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Betreff: Re: ipfw3
>
>
>
>
>
>
>
> An: nans_nans1 at yahoo.de
>
>
>
>
>
>
>
> CC: "users at dragonflybsd.org"
>
>
>
> <users at dragonflybsd.org>
>
>
>
>
>
>
>
> Datum: Montag, 22.
>
>
>
> Juni, 2015 15:33 Uhr
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> your rules
>
>
>
>
>
>
>
> are correct.and you
>
>
>
>
>
>
>
> don't need to add the
>
>
>
> options in kernel config file,
>
>
>
>
>
>
>
> that belongs to IPFW
>
>
>
>
>
>
>
> please provide
>
>
>
>
>
>
>
> output of below commands:1.
>
>
>
>
>
>
>
> kldstat2. ipfw3
>
>
>
>
>
>
>
> show3. ipfw3 nat
>
>
>
>
>
>
>
> show config
>
>
>
>
>
>
>
> On 22 June 2015 at 21:08,
>
>
>
>
>
>
>
> <nans_nans1 at yahoo.de>
>
>
>
>
>
>
>
> wrote:
>
>
>
>
>
>
>
> Sorry,
>
>
>
>
>
>
>
> but this dont work.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> My external nic is ue0 and my internal nic is em0.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> I run 4.3 and a kernel with the following options:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> options IPFIREWALL
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> options IPDIVERT
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> options IPFIREWALL_DEFAULT_TO_ACCEPT
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> options IPFIREWALL_VERBOSE
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> What i do:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> In /etc/rc.conf: gateway_enable="YES"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Then:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> kldload ipfw3_nat
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ipfw3 nat 1 config if ue0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ipfw3 add nat 1 tcp via ue0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> The result is that NAT don't work.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> What is wrong with my configuration? Have i
> forgotten
>
>
>
>
>
>
>
> something?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --------------------------------------------
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> bycn82 <bycn82 at gmail.com>
>
>
>
>
>
>
>
> schrieb am Mo, 22.6.2015:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Betreff: Re: ipfw3
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> An: nans_nans1 at yahoo.de
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> CC: "users at dragonflybsd.org"
>
>
>
>
>
>
>
> <users at dragonflybsd.org>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Datum: Montag, 22. Juni, 2015 01:47 Uhr
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> hi,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> sorry for
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> lacking of documentation.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> below are
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> sample steps to use in-kernel NAT with ipfw3.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Step1: make
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> sure the ipfw3_nat module was loaded
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> dev03#kldstat | grep
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ipfw3_nat 5 1 0xffffffff83242000
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> 3000 ipfw3_nat.ko
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> if the modules was not loaded,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> then below command to load the kernel module
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> dev03#kldload
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ipfw3_nat
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Step2: prepare
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> NAT config
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> dev03#ipfw3 nat 1 config
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> if em0ipfw nat
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> 1 config if em0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> which
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> means it will do MASQUERADE using interface
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> em0.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Step3: NAT the
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> traffic. NAT is just ip translate. so both
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> direction should go through the same NAT
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> config.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> dev03#ipfw3
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> add nat 1 tcp via em0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> this means both in and out traffic
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> on interface em0 will be filtered/ translated by
>
> NAT
>
>
>
>
>
>
>
> config
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> id 1.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> hope this helps, please try it and
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> if you have any question, just let me know, and
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> if you can help to come up with an tutorial by
>
>
>
>
>
>
>
> rephrasing
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> this and append with your experience, that would
> be
>
>
>
>
>
>
>
> very
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> helpful.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> http://www.dragonflybsd.org/docs/ipfw2/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> is an wiki, there is a "edit page"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> link.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> regards,bycn82
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 22 June 2015 at 02:31,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <nans_nans1 at yahoo.de>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Can
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> someone give me detailed/complete instructions
> how
>
> to
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> realize simple working nat with ipfw3 (including
>
>
>
> rc.conf
>
>
>
>
>
>
>
> and
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> configuration files).
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> The informations on these sites turns out to be
>
> sadly
>
>
>
>
>
>
>
> sparse
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> for me:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> https://www.dragonflybsd.org/docs/ipfw2/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> http://www.dragonflybsd.org/docs/ipfw2/modules/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150624/7da93e86/attachment-0003.htm>
More information about the Users
mailing list