D21306.id60948.diff
No OneTemporary
Actions

Size

19 KB

Referenced Files

None

Subscribers

None

D21306.id60948.diff
View Options

	Index: en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
	===================================================================
	--- en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
	+++ en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
	@@ -1698,7 +1698,7 @@
	<warning>
	<para>Only firewall rules with the <option>log</option> option will
	be logged. The default rules do not include this option and it
	- must be manually added. Therefor it is advisable that the default
	+ must be manually added. Therefore it is advisable that the default
	ruleset is edited for logging. In addition, log rotation may be
	desired if the logs are stored in a separate file.</para>
	</warning>
	@@ -2121,9 +2121,9 @@
	&dollar;cmd 00999 deny log all from any to any</programlisting>
	</sect2>

	- <sect2 xml:id="network-natd">
	+ <sect2 xml:id="in-kernel-nat">
	<info>
	- <title>Configuring <acronym>NAT</acronym></title>
	+ <title>In-kernel <acronym>NAT</acronym></title>

	<authorgroup>
	<author>
	@@ -2134,7 +2134,18 @@
	<contrib>Contributed by </contrib>
	</author>
	</authorgroup>
	+
	+ <authorgroup>
	+ <author>
	+ <personname>
	+ <firstname>Dries</firstname>
	+ <surname>Michiels</surname>
	+ </personname>
	+ <contrib>Rewritten and updated by </contrib>
	+ </author>
	+ </authorgroup>
	</info>
	+
	<indexterm>
	<primary>NAT</primary>

	@@ -2141,12 +2152,16 @@
	<secondary>and <application>IPFW</application></secondary>
	</indexterm>

	- <para>&os;'s built-in <acronym>NAT</acronym> daemon,
	- &man.natd.8;, works in conjunction with
	+ <para>&os;'s <application>IPFW</application> firewall has two
	+ implementations of <acronym>NAT</acronym>: one being the
	+ userland &man.natd.8; daemon, and the more recent
	+ <application>IPFW</application>'s built-in
	+ <acronym>NAT</acronym> facility also known as in-kernel
	+ <acronym>NAT</acronym>. Both work in conjunction with
	<application>IPFW</application> to provide network address
	translation. This can be used to provide an Internet
	Connection Sharing solution so that several internal computers
	- can connect to the Internet using a single
	+ can connect to the Internet using a single public
	<acronym>IP</acronym> address.</para>

	<para>To do this, the &os; machine connected to the Internet
	@@ -2157,58 +2172,80 @@
	<acronym>LAN</acronym> should be assigned an
	<acronym>IP</acronym> address in the private network space, as
	defined by <link
	- xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC
	- 1918</link>, and have the default gateway set to the
	- &man.natd.8; system's internal <acronym>IP</acronym>
	- address.</para>
	+ xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC
	+ 1918</link>.</para>

	- <para>Some additional configuration is needed in order to
	- activate the <acronym>NAT</acronym> function of
	- <application>IPFW</application>. If the system has a custom
	- kernel, the kernel configuration file needs to include
	- <literal>option IPDIVERT</literal> along with the other
	- <literal>IPFIREWALL</literal> options described in <xref
	- linkend="firewalls-ipfw-enable"/>.</para>
	+ <para>Some additional configuration is needed in order to enable
	+ the in-kernel <acronym>NAT</acronym> function of
	+ <application>IPFW</application>. To enable in-kernel
	+ <acronym>NAT</acronym> support at boot time, the following
	+ must be set in <filename>/etc/rc.conf</filename>:</para>

	- <para>To enable <acronym>NAT</acronym> support at boot time, the
	- following must be in <filename>/etc/rc.conf</filename>:</para>
	+ <programlisting>gateway_enable="YES"
	+firewall_enable="YES"
	+firewall_nat_enable="YES"</programlisting>

	- <programlisting>gateway_enable="YES" # enables the gateway
	-natd_enable="YES" # enables <acronym>NAT</acronym>
	-natd_interface="rl0" # specify interface name of NIC attached to Internet
	-natd_flags="-dynamic -m" # -m = preserve port numbers; additional options are listed in &man.natd.8;</programlisting>
	-
	<note>
	- <para>It is also possible to specify a configuration file
	- which contains the options to pass to &man.natd.8;:</para>
	+ <para>When <literal>firewall_enable</literal> is not set,
	+ but <literal>firewall_nat_enable</literal> is, it will have
	+ no effect and do nothing. This is by design with the
	+ following reason: <application>IPFW</application>'s
	+ in-kernel <acronym>NAT</acronym> facility is specific to
	+ <application>IPFW</application>. In order to use
	+ <application>IPFW</application>'s <acronym>NAT</acronym>,
	+ <application>IPFW</application> should also be enabled and
	+ loaded by setting
	+ <literal>firewall_enable</literal>.</para></note>

	- <programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
	+ <para>When the ruleset contains stateful rules, the positioning
	+ of the <acronym>NAT</acronym> rule is critical and the
	+ <literal>skipto</literal> action is used. The
	+ <literal>skipto</literal> action requires a rule number so
	+ that it knows which rule to jump to. Furthermore, because of
	+ the nature of a stateful <acronym>NAT</acronym>ing firewall,
	+ it is necessary to allow translated packets to be reinjected
	+ in the firewall for further processing. Because of the
	+ architecture of &man.libalias.3;, a library implemented as a
	+ kernel module used for the in-kernel <acronym>NAT</acronym>
	+ facility of <application>IPFW</application>, it is necessary
	+ to disable TCP segmentation offloading, or in short
	+ <acronym>TSO</acronym>. <acronym>TSO</acronym> can be
	+ disabled on a per network interface basis using
	+ &man.ifconfig.8; or on a system wide basis using
	+ &man.sysctl.8;. To allow packets to be reinjected and to
	+ disable <acronym>TSO</acronym> system wide, the following must
	+ be set in <filename>/etc/sysctl.conf</filename>:</para>

	- <para>The specified file must contain a list of configuration
	- options, one per line. For example:</para>
	+ <programlisting>net.inet.ip.fw.one_pass="0"
	+net.inet.tcp.tso="0"</programlisting>

	- <programlisting>redirect_port tcp 192.168.0.2:6667 6667
	-redirect_port tcp 192.168.0.3:80 80</programlisting>
	-
	- <para>For more information about this configuration file,
	- consult &man.natd.8;.</para>
	- </note>
	-
	- <para>Next, add the <acronym>NAT</acronym> rules to the firewall
	- ruleset. When the rulest contains stateful rules, the
	- positioning of the <acronym>NAT</acronym> rules is critical
	- and the <literal>skipto</literal> action is used. The
	- <literal>skipto</literal> action requires a rule number so
	- that it knows which rule to jump to.</para>
	-
	<para>The following example builds upon the firewall ruleset
	shown in the previous section. It adds some additional
	entries and modifies some existing rules in order to configure
	- the firewall for <acronym>NAT</acronym>. It starts by adding
	- some additional variables which represent the rule number to
	- skip to, the <literal>keep-state</literal> option, and a list
	- of <acronym>TCP</acronym> ports which will be used to reduce
	- the number of rules:</para>
	+ the firewall for in-kernel <acronym>NAT</acronym>. It starts
	+ by adding some additional variables which represent the rule
	+ number to skip to, the <literal>keep-state</literal> option,
	+ and a list of <acronym>TCP</acronym> ports which will be used
	+ to reduce the number of rules. A <acronym>NAT</acronym>
	+ instance will also be configured. With in-kernel
	+ <acronym>NAT</acronym> it is possible to have multiple
	+ <acronym>NAT</acronym> instances each with their own
	+ configuration. Although, for this example only one
	+ <acronym>NAT</acronym> instance is needed;
	+ <acronym>NAT</acronym> instance number 1. The configuration
	+ takes a few arguments and flags such as: <option>if</option>
	+ which indicates the public interface,
	+ <option>same_ports</option> which takes care that alliased
	+ ports and local port numbers are mapped the same,
	+ <option>unreg_only</option> will result in only unregistered
	+ (private) address spaces to be processed by the
	+ <acronym>NAT</acronym> instance, and <option>reset</option>
	+ which will help to keep a functioning <acronym>NAT</acronym>
	+ instance even when the public <acronym>IP</acronym> address of
	+ the <application>IPFW</application> machine changes. For all
	+ possible options that can be passed to a single
	+ <acronym>NAT</acronym> configuration consult
	+ &man.ipfw.8;.</para>

	<programlisting>#!/bin/sh
	ipfw -q -f flush
	@@ -2216,7 +2253,9 @@
	skip="skipto 500"
	pif=dc0
	ks="keep-state"
	-good_tcpo="22,25,37,53,80,443,110"</programlisting>
	+good_tcpo="22,25,37,53,80,443,110"
	+# Configure the in-kernel NAT instance
	+ipfw -q nat 1 config if &dollar;pif same_ports unreg_only reset</programlisting>

	<para>The inbound <acronym>NAT</acronym> rule is inserted
	<emphasis>after</emphasis> the two rules which allow all
	@@ -2230,7 +2269,7 @@

	<programlisting>&dollar;cmd 005 allow all from any to any via xl0 # exclude LAN traffic
	&dollar;cmd 010 allow all from any to any via lo0 # exclude loopback traffic
	-&dollar;cmd 100 divert natd ip from any to any in via &dollar;pif # NAT any inbound packets
	+&dollar;cmd 100 nat 1 ip from any to any in via &dollar;pif # NAT any inbound packets
	# Allow the packet through if it has an existing entry in the dynamic rules table
	&dollar;cmd 101 check-state</programlisting>

	@@ -2263,7 +2302,7 @@
	to pass.</para>

	<programlisting>&dollar;cmd 499 deny log all from any to any
	-&dollar;cmd 500 divert natd ip from any to any out via &dollar;pif # skipto location for outbound stateful rules
	+&dollar;cmd 500 nat 1 ip from any to any out via &dollar;pif # skipto location for outbound stateful rules
	&dollar;cmd 510 allow ip from any to any</programlisting>

	<para>In this example, rules <literal>100</literal>,
	@@ -2312,15 +2351,15 @@
	<sect3>
	<title>Port Redirection</title>

	- <para>The drawback with &man.natd.8; is that the
	- <acronym>LAN</acronym> clients are not accessible from the
	- Internet. Clients on the <acronym>LAN</acronym> can make
	- outgoing connections to the world but cannot receive
	- incoming ones. This presents a problem if trying to run
	- Internet services on one of the <acronym>LAN</acronym>
	+ <para>The drawback with <acronym>NAT</acronym> in general is
	+ that the <acronym>LAN</acronym> clients are not accessible
	+ from the Internet. Clients on the <acronym>LAN</acronym>
	+ can make outgoing connections to the world but cannot
	+ receive incoming ones. This presents a problem if trying to
	+ run Internet services on one of the <acronym>LAN</acronym>
	client machines. A simple way around this is to redirect
	- selected Internet ports on the &man.natd.8; machine to a
	- <acronym>LAN</acronym> client.</para>
	+ selected Internet ports on the <acronym>NAT</acronym>
	+ providing machine to a <acronym>LAN</acronym> client.</para>

	<para>For example, an <acronym>IRC</acronym> server runs on
	client <systemitem>A</systemitem> and a web server runs on
	@@ -2329,49 +2368,50 @@
	(<acronym>IRC</acronym>) and 80 (<acronym>HTTP</acronym>)
	must be redirected to the respective machines.</para>

	- <para>The syntax for <option>-redirect_port</option> is as
	- follows:</para>
	+ <para>With in-kernel <acronym>NAT</acronym> all configuration
	+ is done in the <acronym>NAT</acronym> instance configuration.
	+ For a full list of options that an in-kernel
	+ <acronym>NAT</acronym> instance can use, consult &man.ipfw.8;.
	+ The <application>IPFW</application> syntax follows the syntax
	+ of <application>natd</application>. The syntax for
	+ <option>redirect_port</option> is as follows:</para>

	- <programlisting> -redirect_port proto targetIP:targetPORT[-targetPORT]
	- [aliasIP:]aliasPORT[-aliasPORT]
	- [remoteIP[:remotePORT[-remotePORT]]]</programlisting>
	+ <programlisting>redirect_port proto targetIP:targetPORT[-targetPORT]
	+ [aliasIP:]aliasPORT[-aliasPORT]
	+ [remoteIP[:remotePORT[-remotePORT]]]</programlisting>

	- <para>In the above example, the argument should be:</para>
	+ <para>To configure the above example setup, the arguments
	+ should be:</para>

	- <programlisting> -redirect_port tcp 192.168.0.2:6667 6667
	- -redirect_port tcp 192.168.0.3:80 80</programlisting>
	+ <programlisting>redirect_port tcp 192.168.0.2:6667 6667
	+redirect_port tcp 192.168.0.3:80 80</programlisting>

	- <para>This redirects the proper <acronym>TCP</acronym> ports
	- to the <acronym>LAN</acronym> client machines.</para>
	+ <para>After adding these arguments to configuration of
	+ <acronym>NAT</acronym> instance 1 in the above ruleset, the
	+ <acronym>TCP</acronym> ports will be port forwarded to the
	+ <acronym>LAN</acronym> client machines running the
	+ <acronym>IRC</acronym> and <acronym>HTTP</acronym>
	+ services.</para>

	+ <programlisting>ipfw -q nat 1 config if &dollar;pif same_ports unreg_only reset \
	+ redirect_port tcp 192.168.0.2:6667 6667 \
	+ redirect_port tcp 192.1683.0.3:80 80</programlisting>
	+
	<para>Port ranges over individual ports can be indicated with
	- <option>-redirect_port</option>. For example,
	+ <option>redirect_port</option>. For example,
	<replaceable>tcp 192.168.0.2:2000-3000
	- 2000-3000</replaceable> would redirect all connections
	+ 2000-3000</replaceable> would redirect all connections
	received on ports 2000 to 3000 to ports 2000 to 3000 on
	client <systemitem>A</systemitem>.</para>
	-
	- <para>These options can be used when directly running
	- &man.natd.8;, placed within the
	- <literal>natd_flags=""</literal> option in
	- <filename>/etc/rc.conf</filename>, or passed via a
	- configuration file.</para>
	-
	- <para>For further configuration options, consult
	- &man.natd.8;.</para>
	</sect3>

	<sect3>
	<title>Address Redirection</title>

	- <indexterm>
	- <primary>address redirection</primary>
	- </indexterm>
	-
	<para>Address redirection is useful if more than one
	<acronym>IP</acronym> address is available. Each
	<acronym>LAN</acronym> client can be assigned its own
	- external <acronym>IP</acronym> address by &man.natd.8;,
	+ external <acronym>IP</acronym> address by &man.ipfw.8;,
	which will then rewrite outgoing packets from the
	<acronym>LAN</acronym> clients with the proper external
	<acronym>IP</acronym> address and redirects all traffic
	@@ -2383,7 +2423,7 @@
	class="ipaddress">128.1.1.2</systemitem>, and <systemitem
	class="ipaddress">128.1.1.3</systemitem> are available,
	<systemitem class="ipaddress">128.1.1.1</systemitem> can be
	- used as the &man.natd.8; machine's external
	+ used as the &man.ipfw.8; machine's external
	<acronym>IP</acronym> address, while <systemitem
	class="ipaddress">128.1.1.2</systemitem> and <systemitem
	class="ipaddress">128.1.1.3</systemitem> are forwarded
	@@ -2391,49 +2431,88 @@
	<systemitem>A</systemitem> and
	<systemitem>B</systemitem>.</para>

	- <para>The <option>-redirect_address</option> syntax is as
	- follows:</para>
	+ <para>The <option>redirect_address</option> syntax is as
	+ below, where <literal>localIP</literal> is the internal
	+ <acronym>IP</acronym> address of the <acronym>LAN</acronym>
	+ client, and <literal>publicIP</literal> the external
	+ <acronym>IP</acronym> address corresponding to the
	+ <acronym>LAN</acronym> client.</para>

	- <programlisting>-redirect_address localIP publicIP</programlisting>
	+<programlisting>redirect_address localIP PublicIP</programlisting>

	+ <para>In the example, the arguments would read:</para>

	- <informaltable frame="none" pgwide="1">
	- <tgroup cols="2">
	- <tbody>
	- <row>
	- <entry>localIP</entry>
	- <entry>The internal <acronym>IP</acronym> address of
	- the <acronym>LAN</acronym> client.</entry>
	- </row>
	+ <programlisting>redirect_address 192.168.0.2 128.1.1.2
	+redirect_address 192.168.0.3 128.1.1.3</programlisting>

	- <row>
	- <entry>publicIP</entry>
	- <entry>The external <acronym>IP</acronym> address
	- corresponding to the <acronym>LAN</acronym>
	- client.</entry>
	- </row>
	- </tbody>
	- </tgroup>
	- </informaltable>
	-
	- <para>In the example, this argument would read:</para>
	-
	- <programlisting>-redirect_address 192.168.0.2 128.1.1.2
	--redirect_address 192.168.0.3 128.1.1.3</programlisting>
	-
	- <para>Like <option>-redirect_port</option>, these arguments
	- are placed within the <literal>natd_flags=""</literal>
	- option of <filename>/etc/rc.conf</filename>, or passed via a
	- configuration file. With address redirection, there is no
	- need for port redirection since all data received on a
	+ <para>Like <option>redirect_port</option>, these arguments
	+ are placed in a <acronym>NAT</acronym> instance
	+ configuration. With address redirection, there is no
	+ need for port redirection, as all data received on a
	particular <acronym>IP</acronym> address is
	redirected.</para>

	<para>The external <acronym>IP</acronym> addresses on the
	- &man.natd.8; machine must be active and aliased to the
	+ &man.ipfw.8; machine must be active and aliased to the
	external interface. Refer to &man.rc.conf.5; for
	details.</para>
	</sect3>
	+
	+ <sect3>
	+ <title>Userspace <acronym>NAT</acronym></title>
	+
	+ <para>Lets start with a statement: the userspace
	+ <acronym>NAT</acronym> implementation: &man.natd.8;, has
	+ more overhead than in-kernel <acronym>NAT</acronym>. This
	+ is due to the fact that in order for &man.natd.8; to
	+ translate packets, the packets have to be copied from the
	+ kernel to userspace which brings in the overhead.</para>
	+
	+ <para>To enable the userpace <acronym>NAT</acronym> daemon;
	+ &man.natd.8; at boot time, the following is a minimum
	+ configuration in <filename>/etc/rc.conf</filename>. Where
	+ <option>natd_interface</option> is set to the name of the
	+ <acronym>NIC</acronym> attached to the Internet. The
	+ &man.rc.8; script of &man.natd.8; will automatically check
	+ if a dynamic <acronym>IP</acronym> address is used and
	+ configure itself to handle that.</para>
	+
	+ <programlisting>gateway_enable="YES"
	+natd_enable="YES"
	+natd_interface="rl0"</programlisting>
	+
	+ <para>In general, the above ruleset as explained for in-kernel
	+ <acronym>NAT</acronym> can also used together with
	+ &man.natd.8;. The only exceptions are the configuration of
	+ the in-kernel <acronym>NAT</acronym> instance <literal>(ipfw
	+ -q nat 1 config ...)</literal> not being applicable any
	+ more, and rule number 100 and 500 will have to change
	+ sligthly as below.</para>
	+
	+ <programlisting>&dollar;cmd 100 divert natd ip from any to any in via &dollar;pif
	+&dollar;cmd 500 divert natd ip from any to any out via &dollar;pif</programlisting>
	+
	+ <para>To configure port or address redirection, a similar
	+ syntax as with in-kernel <acronym>NAT</acronym> is used.
	+ Although, now, instead of specifying the configuration in
	+ our ruleset script like with in-kernel
	+ <acronym>NAT</acronym>, configuration of &man.natd.8; is
	+ best done in a configuration file. To do this, an extra
	+ flag must be passed via <filename>/etc/rc.conf</filename>
	+ which specifies the path of the configuration file.</para>
	+
	+ <programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
	+
	+ <note>
	+ <para>The specified file must contain a list of
	+ configuration options, one per line. For more information
	+ about the configuration file and possible variables,
	+ consult &man.natd.8;. Below are two example
	+ entries, one per line:</para>
	+
	+ <programlisting>redirect_port tcp 192.168.0.2:6667 6667
	+redirect_address 192.168.0.3 128.1.1.3</programlisting></note>
	+ </sect3>
	</sect2>

	<sect2 xml:id="firewalls-ipfw-cmd">

File Metadata

Mime Type: text/plain
Expires: Sun, Oct 26, 6:19 PM (6 h, 2 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 24194485
Default Alt Text: D21306.id60948.diff (19 KB)

D21306.id60948.diffNo OneTemporaryActions

D21306.id60948.diffView Options

File Metadata

Event Timeline

D21306.id60948.diff
No OneTemporary
Actions

D21306.id60948.diff
View Options