confusion configuring NAT

	I'm trying to get NAT going, and apparently failing to
understand large parts of the concept,
	1) Per the handbook I have added

options IPFIREWALL
options IPDIVERT

	to the kernel.
	2) The firewall is active, and configured so it works for
the
machine itself.  (Settings appended.)
	3) I need to do translation for all machines on
10.0.0.0/8.
	4) Working from the ipfw man page:

ipfw add nat 10 all from any to any

	then

ipfw nat 10 config log ip 10.0.0.0/8

	Uh-oh:

ipfw: bad ip address ``10.0.0.0/8''

	OK, choose one machine.

ipfw nat 10 config log ip 10.0.0.3

	Accepted.
	5) Now, start natd. (natd.conf appended)

/sbin/natd -l -f /etc/natd.conf

	Nope:

natd: instance default: aliasing address not given


	Huh?  This has gotten a lot more coplicated since the last
time.  :-P



					Robert Huff









#! /bin/sh 

IF=em0
OF=em1

ipfw add 100 pass all from any to any via lo0
ipfw add 200 deny all from any to 127.0.0.0/8
ipfw add 300 deny ip from 127.0.0.0/8 to any

/bin/sleep 3

#    for DHCP

ipfw add 350 allow udp from any 67-68 to any 67-68

#	close NetBios to outside contact

/etc/ipfw.netbios.set

#	close RPC to outside contact

/etc/ipfw.rpc.set

#    no outside SNMP

/etc/ipfw.snmp.set

#
#     no IRC
#

/etc/ipfw.irc.set

#	established connections are okay.

ipfw add 10000 allow tcp from any to any established

#   let all stuff out

ipfw add 10100 allow all from any to any out via $IF

#   internal connections are okay (assuming that 10.0.0.0/8
is your IP
#   ipfw address range internally)

ipfw add 10200 allow tcp from 10.0.0.0/8 to any 80

#    not starting natd here, in case it's already running

#     allow anything not previously forbidden

ipfw add 65000 allow ip from any to any

 ****************		natd.conf		****************
instance 10
interface		em0
same_ports	yes
log_ipfw_denied yes
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

On Wednesday 19 March 2008 03:02:59 pm Robert Huff wrote:
> 	I'm trying to get NAT going, and apparently failing
to
> understand large parts of the concept,
> 	1) Per the handbook I have added
>
> options IPFIREWALL
> options IPDIVERT
>
> 	to the kernel.
> 	2) The firewall is active, and configured so it works
for the
> machine itself.  (Settings appended.)
> 	3) I need to do translation for all machines on
10.0.0.0/8.
> 	4) Working from the ipfw man page:
>
> ipfw add nat 10 all from any to any
>
> 	then
>
> ipfw nat 10 config log ip 10.0.0.0/8
>
> 	Uh-oh:
>
> ipfw: bad ip address ``10.0.0.0/8''
>
> 	OK, choose one machine.
>
> ipfw nat 10 config log ip 10.0.0.3
>
> 	Accepted.
> 	5) Now, start natd. (natd.conf appended)
>
> /sbin/natd -l -f /etc/natd.conf
>
> 	Nope:
>
> natd: instance default: aliasing address not given
>
>
> 	Huh?  This has gotten a lot more coplicated since the
last
> time.  :-P
>
>
>
> 					Robert Huff

I don't see much in the man page for ipfw concerning nat,
certainly not the 
rules you are specifying.   Try man natd  

-- 
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB

Josh Paetzel wrote:
> I don't see much in the man page for ipfw concerning
nat, certainly not the 
> rules you are specifying.   Try man natd  

NAT support was added to ipfw with the 7.0 release. You
don't need to
run natd if you're using ipfw nat.

Robert Huff wrote:
> ipfw nat 10 config log ip 10.0.0.0/8

You should disable natd. Try the following command to
configure the nat
rule:

# ipfw nat 10 config if $OIF log reset

-- 
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

>  	I'm trying to get NAT going, and apparently failing
to
>  understand large parts of the concept,

	If natd is no longer needed as of 7.*, then this page of
the
Handbook

http://www.freebsd.org/doc/en_US.ISO8
859-1/books/handbook/network-natd.html

	needs revision.


				Robert Huff
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

	1) when I add the nat instance, it assigns it rule # 65100.
 Is
this a problem?  Is there a way to assign my own rule #? 
(ipfw
seems not to like two "add"s in the same line.)

	2) NAT still doesn't work.  Still connected, but can't surf
to
www.google.com using Firefox.


				Robert Huff
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

Being I am a newcomer to freeBSD, on my first install google
turned up  
a how to for getting my box on the Internet as a
firewall/DHCP/DNS  
server. Since, I've been learning the packet filtering
program (pf).  
Everytime I read a question on ipfw I quickly get confused.

What are the major advantages one over the other? I hope not
to sound  
biased but pf seems more user friendly, easier to implement,
and less  
verbose?

David

------------------------------------------------------------
----
This message was sent using IMP, the Internet Messaging
Program.

_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

Robert Huff wrote:
> 
> 	1) when I add the nat instance, it assigns it rule #
65100.  Is
> this a problem?  Is there a way to assign my own rule
#?  (ipfw
> seems not to like two "add"s in the same
line.)
> 
> 	2) NAT still doesn't work.  Still connected, but can't
surf to
> www.google.com using Firefox.

My kernel conf:
| options IPFIREWALL
| options IPFIREWALL_VERBOSE
| options IPFIREWALL_VERBOSE_LIMIT=100
| options IPFIREWALL_FORWARD
| options IPFIREWALL_NAT
| options LIBALIAS

My (abbreviated) ipfw.rules script:
| /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only
same_ports
| $CMD allow all from any to any via lo0
| $CMD nat 1 ip4 from any to any
| $CMD allow icmp from any to any
| $CMD deny log ip from any to me
| $CMD allow ip4 from any to any

-- 
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

Christopher Cowart writes:

>  > 	2) NAT still doesn't work.  Still connected, but
can't surf to
>  > www.google.com using Firefox.
>  
>  My kernel conf:
>  | options IPFIREWALL
>  | options IPFIREWALL_VERBOSE
>  | options IPFIREWALL_VERBOSE_LIMIT=100
>  | options IPFIREWALL_FORWARD
>  | options IPFIREWALL_NAT
>  | options LIBALIAS

	I do not have "options IPFIREWALL_FORWARD" (it's
commented out)
because the attached comment says:

	enable xparent proxy support

	Since that machine doesn't do proxy ... is this necessary?


>  My (abbreviated) ipfw.rules script:
>  | /sbin/ipfw -q nat 1 config if vlan98 log reset
unreg_only same_ports
>  | $CMD allow all from any to any via lo0
>  | $CMD nat 1 ip4 from any to any
>  | $CMD allow icmp from any to any
>  | $CMD deny log ip from any to me
>  | $CMD allow ip4 from any to any

	Not an ipfw guru, but don't see anything that contradicts
what
I have.


				Robert Huff
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

Robert Huff wrote:
> Christopher Cowart writes:
> 
>>  > 	2) NAT still doesn't work.  Still connected,
but can't surf to
>>  > www.google.com using Firefox.
>>  
>> My kernel conf:
>> | options IPFIREWALL
>> | options IPFIREWALL_VERBOSE
>> | options IPFIREWALL_VERBOSE_LIMIT=100
>> | options IPFIREWALL_FORWARD
>> | options IPFIREWALL_NAT
>> | options LIBALIAS
> 
> 	I do not have "options IPFIREWALL_FORWARD"
(it's commented out)
> because the attached comment says:
> 
>	enable xparent proxy support
>
>	Since that machine doesn't do proxy ... is this
necessary?

Should be fine.

>> My (abbreviated) ipfw.rules script:
>> | /sbin/ipfw -q nat 1 config if vlan98 log reset
unreg_only same_ports
>> | $CMD allow all from any to any via lo0
>> | $CMD nat 1 ip4 from any to any
>> | $CMD allow icmp from any to any
>> | $CMD deny log ip from any to me
>> | $CMD allow ip4 from any to any
> 
> 	Not an ipfw guru, but don't see anything that
contradicts what
> I have.

Do you have gateway_enable="YES" in your
/etc/rc.conf?

$ sysctl -a net.inet.ip.forwarding 
net.inet.ip.forwarding: 1

Is the interface mentioned in the nat config the interface
with the
public IP?

Try putting `$CMD count log ip from any to any' rules to see
if traffic
is matching where you expect it to; I have found this
incredibly useful
in the past, because interface and direction tags are not
always
intuitive (especially once you get fwd rules, which luckily
you don't
have).

-- 
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

Christopher Cowart writes:

>  Do you have gateway_enable="YES" in your
/etc/rc.conf?

huff>> grep gate /etc/rc.conf
gateway_enable="YES"

>  $ sysctl -a net.inet.ip.forwarding 
>  net.inet.ip.forwarding: 1

huff>> sysctl -a net.inet.ip.forwarding
net.inet.ip.forwarding: 1


>  Is the interface mentioned in the nat config the
interface with the
>  public IP?

	em0 connects to the cable modem.

>  Try putting `$CMD count log ip from any to any' rules
to see if traffic
>  is matching where you expect it to;

	Where do I find the results of this


				Robert Huff
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"