Index: en_US.ISO8859-1/books/handbook/firewalls/chapter.xml =================================================================== --- en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -1698,7 +1698,7 @@ Only firewall rules with the option will be logged. The default rules do not include this option and it - must be manually added. Therefor it is advisable that the default + must be manually added. Therefore it is advisable that the default ruleset is edited for logging. In addition, log rotation may be desired if the logs are stored in a separate file. @@ -2121,9 +2121,9 @@ $cmd 00999 deny log all from any to any - + - Configuring <acronym>NAT</acronym> + In-kernel <acronym>NAT</acronym> @@ -2134,7 +2134,18 @@ Contributed by + + + + + Dries + Michiels + + Rewritten and updated by + + + NAT @@ -2141,12 +2152,16 @@ and IPFW - &os;'s built-in NAT daemon, - &man.natd.8;, works in conjunction with + &os;'s IPFW firewall has two + implementations of NAT: one being the + userland &man.natd.8; daemon, and the more recent + IPFW's built-in + NAT facility also known as in-kernel + NAT. Both work in conjunction with IPFW to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers - can connect to the Internet using a single + can connect to the Internet using a single public IP address. To do this, the &os; machine connected to the Internet @@ -2157,58 +2172,80 @@ LAN should be assigned an IP address in the private network space, as defined by RFC - 1918, and have the default gateway set to the - &man.natd.8; system's internal IP - address. + xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC + 1918. - Some additional configuration is needed in order to - activate the NAT function of - IPFW. If the system has a custom - kernel, the kernel configuration file needs to include - option IPDIVERT along with the other - IPFIREWALL options described in . + Some additional configuration is needed in order to enable + the in-kernel NAT function of + IPFW. To enable in-kernel + NAT support at boot time, the following + must be set in /etc/rc.conf: - To enable NAT support at boot time, the - following must be in /etc/rc.conf: + gateway_enable="YES" +firewall_enable="YES" +firewall_nat_enable="YES" - gateway_enable="YES" # enables the gateway -natd_enable="YES" # enables NAT -natd_interface="rl0" # specify interface name of NIC attached to Internet -natd_flags="-dynamic -m" # -m = preserve port numbers; additional options are listed in &man.natd.8; - - It is also possible to specify a configuration file - which contains the options to pass to &man.natd.8;: + When firewall_enable is not set, + but firewall_nat_enable is, it will have + no effect and do nothing. This is by design with the + following reason: IPFW's + in-kernel NAT facility is specific to + IPFW. In order to use + IPFW's NAT, + IPFW should also be enabled and + loaded by setting + firewall_enable. - natd_flags="-f /etc/natd.conf" + When the ruleset contains stateful rules, the positioning + of the NAT rule is critical and the + skipto action is used. The + skipto action requires a rule number so + that it knows which rule to jump to. Furthermore, because of + the nature of a stateful NATing firewall, + it is necessary to allow translated packets to be reinjected + in the firewall for further processing. Because of the + architecture of &man.libalias.3;, a library implemented as a + kernel module used for the in-kernel NAT + facility of IPFW, it is necessary + to disable TCP segmentation offloading, or in short + TSO. TSO can be + disabled on a per network interface basis using + &man.ifconfig.8; or on a system wide basis using + &man.sysctl.8;. To allow packets to be reinjected and to + disable TSO system wide, the following must + be set in /etc/sysctl.conf: - The specified file must contain a list of configuration - options, one per line. For example: + net.inet.ip.fw.one_pass="0" +net.inet.tcp.tso="0" - redirect_port tcp 192.168.0.2:6667 6667 -redirect_port tcp 192.168.0.3:80 80 - - For more information about this configuration file, - consult &man.natd.8;. - - - Next, add the NAT rules to the firewall - ruleset. When the rulest contains stateful rules, the - positioning of the NAT rules is critical - and the skipto action is used. The - skipto action requires a rule number so - that it knows which rule to jump to. - The following example builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure - the firewall for NAT. It starts by adding - some additional variables which represent the rule number to - skip to, the keep-state option, and a list - of TCP ports which will be used to reduce - the number of rules: + the firewall for in-kernel NAT. It starts + by adding some additional variables which represent the rule + number to skip to, the keep-state option, + and a list of TCP ports which will be used + to reduce the number of rules. A NAT + instance will also be configured. With in-kernel + NAT it is possible to have multiple + NAT instances each with their own + configuration. Although, for this example only one + NAT instance is needed; + NAT instance number 1. The configuration + takes a few arguments and flags such as: + which indicates the public interface, + which takes care that alliased + ports and local port numbers are mapped the same, + will result in only unregistered + (private) address spaces to be processed by the + NAT instance, and + which will help to keep a functioning NAT + instance even when the public IP address of + the IPFW machine changes. For all + possible options that can be passed to a single + NAT configuration consult + &man.ipfw.8;. #!/bin/sh ipfw -q -f flush @@ -2216,7 +2253,9 @@ skip="skipto 500" pif=dc0 ks="keep-state" -good_tcpo="22,25,37,53,80,443,110" +good_tcpo="22,25,37,53,80,443,110" +# Configure the in-kernel NAT instance +ipfw -q nat 1 config if $pif same_ports unreg_only reset The inbound NAT rule is inserted after the two rules which allow all @@ -2230,7 +2269,7 @@ $cmd 005 allow all from any to any via xl0 # exclude LAN traffic $cmd 010 allow all from any to any via lo0 # exclude loopback traffic -$cmd 100 divert natd ip from any to any in via $pif # NAT any inbound packets +$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets # Allow the packet through if it has an existing entry in the dynamic rules table $cmd 101 check-state @@ -2263,7 +2302,7 @@ to pass. $cmd 499 deny log all from any to any -$cmd 500 divert natd ip from any to any out via $pif # skipto location for outbound stateful rules +$cmd 500 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules $cmd 510 allow ip from any to any In this example, rules 100, @@ -2312,15 +2351,15 @@ Port Redirection - The drawback with &man.natd.8; is that the - LAN clients are not accessible from the - Internet. Clients on the LAN can make - outgoing connections to the world but cannot receive - incoming ones. This presents a problem if trying to run - Internet services on one of the LAN + The drawback with NAT in general is + that the LAN clients are not accessible + from the Internet. Clients on the LAN + can make outgoing connections to the world but cannot + receive incoming ones. This presents a problem if trying to + run Internet services on one of the LAN client machines. A simple way around this is to redirect - selected Internet ports on the &man.natd.8; machine to a - LAN client. + selected Internet ports on the NAT + providing machine to a LAN client. For example, an IRC server runs on client A and a web server runs on @@ -2329,49 +2368,50 @@ (IRC) and 80 (HTTP) must be redirected to the respective machines. - The syntax for is as - follows: + With in-kernel NAT all configuration + is done in the NAT instance configuration. + For a full list of options that an in-kernel + NAT instance can use, consult &man.ipfw.8;. + The IPFW syntax follows the syntax + of natd. The syntax for + is as follows: - -redirect_port proto targetIP:targetPORT[-targetPORT] - [aliasIP:]aliasPORT[-aliasPORT] - [remoteIP[:remotePORT[-remotePORT]]] + redirect_port proto targetIP:targetPORT[-targetPORT] + [aliasIP:]aliasPORT[-aliasPORT] + [remoteIP[:remotePORT[-remotePORT]]] - In the above example, the argument should be: + To configure the above example setup, the arguments + should be: - -redirect_port tcp 192.168.0.2:6667 6667 - -redirect_port tcp 192.168.0.3:80 80 + redirect_port tcp 192.168.0.2:6667 6667 +redirect_port tcp 192.168.0.3:80 80 - This redirects the proper TCP ports - to the LAN client machines. + After adding these arguments to configuration of + NAT instance 1 in the above ruleset, the + TCP ports will be port forwarded to the + LAN client machines running the + IRC and HTTP + services. + ipfw -q nat 1 config if $pif same_ports unreg_only reset \ + redirect_port tcp 192.168.0.2:6667 6667 \ + redirect_port tcp 192.1683.0.3:80 80 + Port ranges over individual ports can be indicated with - . For example, + . For example, tcp 192.168.0.2:2000-3000 - 2000-3000 would redirect all connections + 2000-3000 would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client A. - - These options can be used when directly running - &man.natd.8;, placed within the - natd_flags="" option in - /etc/rc.conf, or passed via a - configuration file. - - For further configuration options, consult - &man.natd.8;. Address Redirection - - address redirection - - Address redirection is useful if more than one IP address is available. Each LAN client can be assigned its own - external IP address by &man.natd.8;, + external IP address by &man.ipfw.8;, which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic @@ -2383,7 +2423,7 @@ class="ipaddress">128.1.1.2, and 128.1.1.3 are available, 128.1.1.1 can be - used as the &man.natd.8; machine's external + used as the &man.ipfw.8; machine's external IP address, while 128.1.1.2 and 128.1.1.3 are forwarded @@ -2391,49 +2431,88 @@ A and B. - The syntax is as - follows: + The syntax is as + below, where localIP is the internal + IP address of the LAN + client, and publicIP the external + IP address corresponding to the + LAN client. - -redirect_address localIP publicIP +redirect_address localIP PublicIP + In the example, the arguments would read: - - - - - localIP - The internal IP address of - the LAN client. - + redirect_address 192.168.0.2 128.1.1.2 +redirect_address 192.168.0.3 128.1.1.3 - - publicIP - The external IP address - corresponding to the LAN - client. - - - - - - In the example, this argument would read: - - -redirect_address 192.168.0.2 128.1.1.2 --redirect_address 192.168.0.3 128.1.1.3 - - Like , these arguments - are placed within the natd_flags="" - option of /etc/rc.conf, or passed via a - configuration file. With address redirection, there is no - need for port redirection since all data received on a + Like , these arguments + are placed in a NAT instance + configuration. With address redirection, there is no + need for port redirection, as all data received on a particular IP address is redirected. The external IP addresses on the - &man.natd.8; machine must be active and aliased to the + &man.ipfw.8; machine must be active and aliased to the external interface. Refer to &man.rc.conf.5; for details. + + + Userspace <acronym>NAT</acronym> + + Lets start with a statement: the userspace + NAT implementation: &man.natd.8;, has + more overhead than in-kernel NAT. This + is due to the fact that in order for &man.natd.8; to + translate packets, the packets have to be copied from the + kernel to userspace which brings in the overhead. + + To enable the userpace NAT daemon; + &man.natd.8; at boot time, the following is a minimum + configuration in /etc/rc.conf. Where + is set to the name of the + NIC attached to the Internet. The + &man.rc.8; script of &man.natd.8; will automatically check + if a dynamic IP address is used and + configure itself to handle that. + + gateway_enable="YES" +natd_enable="YES" +natd_interface="rl0" + + In general, the above ruleset as explained for in-kernel + NAT can also used together with + &man.natd.8;. The only exceptions are the configuration of + the in-kernel NAT instance (ipfw + -q nat 1 config ...) not being applicable any + more, and rule number 100 and 500 will have to change + sligthly as below. + + $cmd 100 divert natd ip from any to any in via $pif +$cmd 500 divert natd ip from any to any out via $pif + + To configure port or address redirection, a similar + syntax as with in-kernel NAT is used. + Although, now, instead of specifying the configuration in + our ruleset script like with in-kernel + NAT, configuration of &man.natd.8; is + best done in a configuration file. To do this, an extra + flag must be passed via /etc/rc.conf + which specifies the path of the configuration file. + + natd_flags="-f /etc/natd.conf" + + + The specified file must contain a list of + configuration options, one per line. For more information + about the configuration file and possible variables, + consult &man.natd.8;. Below are two example + entries, one per line: + + redirect_port tcp 192.168.0.2:6667 6667 +redirect_address 192.168.0.3 128.1.1.3 +