Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Show First 20 Lines • Show All 2,147 Lines • ▼ Show 20 Lines | </authorgroup> | ||||
<indexterm> | <indexterm> | ||||
<primary>NAT</primary> | <primary>NAT</primary> | ||||
<secondary>and <application>IPFW</application></secondary> | <secondary>and <application>IPFW</application></secondary> | ||||
</indexterm> | </indexterm> | ||||
<para>&os;'s <application>IPFW</application> firewall has two | <para>&os;'s <application>IPFW</application> firewall has two | ||||
implementations of <acronym>NAT</acronym>: one being the | implementations of <acronym>NAT</acronym>: the userland | ||||
userland &man.natd.8; daemon, and the more recent | implementation &man.natd.8;, and the more recent in-kernel | ||||
<application>IPFW</application>'s built-in | <acronym>NAT</acronym> implementation. Both work in | ||||
<acronym>NAT</acronym> facility also known as in-kernel | conjunction with <application>IPFW</application> to provide | ||||
<acronym>NAT</acronym>. Both work in conjunction with | network address translation. This can be used to provide an | ||||
<application>IPFW</application> to provide network address | Internet Connection Sharing solution so that several internal | ||||
translation. This can be used to provide an Internet | computers can connect to the Internet using a single public | ||||
Connection Sharing solution so that several internal computers | |||||
can connect to the Internet using a single public | |||||
<acronym>IP</acronym> address.</para> | <acronym>IP</acronym> address.</para> | ||||
<para>To do this, the &os; machine connected to the Internet | <para>To do this, the &os; machine connected to the Internet | ||||
must act as a gateway. This system must have two | must act as a gateway. This system must have two | ||||
<acronym>NIC</acronym>s, where one is connected to the | <acronym>NIC</acronym>s, where one is connected to the | ||||
Internet and the other is connected to the internal | Internet and the other is connected to the internal | ||||
<acronym>LAN</acronym>. Each machine connected to the | <acronym>LAN</acronym>. Each machine connected to the | ||||
<acronym>LAN</acronym> should be assigned an | <acronym>LAN</acronym> should be assigned an | ||||
<acronym>IP</acronym> address in the private network space, as | <acronym>IP</acronym> address in the private network space, as | ||||
defined by <link | defined by <link | ||||
xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC | xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC | ||||
1918</link>.</para> | 1918</link>.</para> | ||||
<para>Some additional configuration is needed in order to enable | <para>Some additional configuration is needed in order to enable | ||||
the in-kernel <acronym>NAT</acronym> function of | the in-kernel <acronym>NAT</acronym> facility of | ||||
<application>IPFW</application>. To enable in-kernel | <application>IPFW</application>. To enable in-kernel | ||||
<acronym>NAT</acronym> support at boot time, the following | <acronym>NAT</acronym> support at boot time, the following | ||||
must be set in <filename>/etc/rc.conf</filename>:</para> | must be set in <filename>/etc/rc.conf</filename>:</para> | ||||
<programlisting>gateway_enable="YES" | <programlisting>gateway_enable="YES" | ||||
firewall_enable="YES" | firewall_enable="YES" | ||||
firewall_nat_enable="YES"</programlisting> | firewall_nat_enable="YES"</programlisting> | ||||
<note> | <note> | ||||
<para>When <literal>firewall_enable</literal> is not set, | <para>When <literal>firewall_nat_enable</literal> is set but | ||||
but <literal>firewall_nat_enable</literal> is, it will have | <literal>firewall_enable</literal> is not, it will have no | ||||
no effect and do nothing, because the in-kernel | effect and do nothing. This is because the in-kernel | ||||
<acronym>NAT</acronym> implementation is only compatible | <acronym>NAT</acronym> implementation is only compatible | ||||
with <application>IPFW</application>.</para></note> | with <application>IPFW</application>.</para></note> | ||||
<para>When the ruleset contains stateful rules, the positioning | <para>When the ruleset contains stateful rules, the positioning | ||||
of the <acronym>NAT</acronym> rule is critical and the | of the <acronym>NAT</acronym> rule is critical and the | ||||
<literal>skipto</literal> action is used. The | <literal>skipto</literal> action is used. The | ||||
<literal>skipto</literal> action requires a rule number so | <literal>skipto</literal> action requires a rule number so | ||||
that it knows which rule to jump to. Furthermore, because | that it knows which rule to jump to. The example below builds | ||||
of the architecture of &man.libalias.3;, a library implemented | upon the firewall ruleset shown in the previous section. It | ||||
as a kernel module used for the in-kernel | adds some additional entries and modifies some existing rules | ||||
<acronym>NAT</acronym> facility of | in order to configure the firewall for in-kernel | ||||
<application>IPFW</application>, it is necessary to disable | <acronym>NAT</acronym>. It starts by adding some additional | ||||
TCP segmentation offloading, or in short | variables which represent the rule number to skip to, the | ||||
<acronym>TSO</acronym>. <acronym>TSO</acronym> can be | <literal>keep-state</literal> option, and a list of | ||||
disabled on a per network interface basis by using | <acronym>TCP</acronym> ports which will be used to reduce the | ||||
&man.ifconfig.8; or on a system wide basis using | number of rules.</para> | ||||
&man.sysctl.8;. To disable <acronym>TSO</acronym> system | |||||
wide, the following must be set in | |||||
<filename>/etc/sysctl.conf</filename>:</para> | |||||
<programlisting>net.inet.tcp.tso="0"</programlisting> | |||||
<para>The example below builds upon the firewall ruleset | |||||
shown in the previous section. It adds some additional | |||||
entries and modifies some existing rules in order to configure | |||||
the firewall for in-kernel <acronym>NAT</acronym>. It starts | |||||
by adding some additional variables which represent the rule | |||||
number to skip to, the <literal>keep-state</literal> option, | |||||
and a list of <acronym>TCP</acronym> ports which will be used | |||||
to reduce the number of rules.</para> | |||||
<programlisting>#!/bin/sh | <programlisting>#!/bin/sh | ||||
ipfw -q -f flush | ipfw -q -f flush | ||||
cmd="ipfw -q add" | cmd="ipfw -q add" | ||||
skip="skipto 1000" | skip="skipto 1000" | ||||
pif=dc0 | pif=dc0 | ||||
ks="keep-state" | ks="keep-state" | ||||
good_tcpo="22,25,37,53,80,443,110"</programlisting> | good_tcpo="22,25,37,53,80,443,110"</programlisting> | ||||
<para>A <acronym>NAT</acronym> instance will also be | <para>With in-kernel <acronym>NAT</acronym> it is | ||||
configured. With in-kernel <acronym>NAT</acronym> it is | necessary to disable TCP segmentation offloading | ||||
possible to have multiple <acronym>NAT</acronym> instances | (<acronym>TSO</acronym>) due to the architecture of | ||||
each with their own configuration. Although, for this example | &man.libalias.3;, a library implemented as a kernel module to | ||||
only one <acronym>NAT</acronym> instance is needed; | provide the in-kernel <acronym>NAT</acronym> facility of | ||||
<application>IPFW</application>. <acronym>TSO</acronym> can | |||||
be disabled on a per network interface basis using | |||||
&man.ifconfig.8; or on a system wide basis using | |||||
&man.sysctl.8;. To disable <acronym>TSO</acronym> system | |||||
wide, the following must be set it | |||||
<filename>/etc/sysctl.conf</filename>:</para> | |||||
<programlisting>net.inet.tcp.tso="0"</programlisting> | |||||
<para>A <acronym>NAT</acronym> instance will also be configured. | |||||
It is possible to have multiple <acronym>NAT</acronym> | |||||
instances each with their own configuration. For this example | |||||
only one <acronym>NAT</acronym> instance is needed, | |||||
<acronym>NAT</acronym> instance number 1. The configuration | <acronym>NAT</acronym> instance number 1. The configuration | ||||
takes a few arguments and flags such as: <option>if</option> | can take a few options such as: <option>if</option> which | ||||
which indicates the public interface, | indicates the public interface, <option>same_ports</option> | ||||
<option>same_ports</option> which takes care that alliased | which takes care that alliased ports and local port numbers | ||||
ports and local port numbers are mapped the same, | are mapped the same, <option>unreg_only</option> will result | ||||
<option>unreg_only</option> will result in only unregistered | in only unregistered (private) address spaces to be processed | ||||
(private) address spaces to be processed by the | by the <acronym>NAT</acronym> instance, and | ||||
<acronym>NAT</acronym> instance, and <option>reset</option> | <option>reset</option> which will help to keep a functioning | ||||
which will help to keep a functioning <acronym>NAT</acronym> | <acronym>NAT</acronym> instance even when the public | ||||
instance even when the public <acronym>IP</acronym> address of | <acronym>IP</acronym> address of the | ||||
the <application>IPFW</application> machine changes. For all | <application>IPFW</application> machine changes. For all | ||||
possible options that can be passed to a single | possible options that can be passed to a single | ||||
<acronym>NAT</acronym> instance configuration consult | <acronym>NAT</acronym> instance configuration consult | ||||
&man.ipfw.8;. Furthermore, because of the nature of a | &man.ipfw.8;. When configuring a stateful | ||||
stateful <acronym>NAT</acronym>ing firewall, it is neseccary | <acronym>NAT</acronym>ing firewall, it is neseccary to allow | ||||
to allow translated packets to be reinjected in the firewall | translated packets to be reinjected in the firewall for | ||||
for further processing, this can be achieved by disabling | further processing. This can be achieved by disabling | ||||
<option>one_pass</option> behavior at the start of the | <option>one_pass</option> behavior at the start of the | ||||
firewall script.</para> | firewall script.</para> | ||||
<programlisting>ipfw disable one_pass | <programlisting>ipfw disable one_pass | ||||
ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting> | ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting> | ||||
<para>The inbound <acronym>NAT</acronym> rule is inserted | <para>The inbound <acronym>NAT</acronym> rule is inserted | ||||
<emphasis>after</emphasis> the two rules which allow all | <emphasis>after</emphasis> the two rules which allow all | ||||
traffic on the trusted and loopback interfaces and after the | traffic on the trusted and loopback interfaces and after the | ||||
reassamble rule but <emphasis>before</emphasis> the | reassamble rule but <emphasis>before</emphasis> the | ||||
<literal>check-state</literal> rule. It is important that the | <literal>check-state</literal> rule. It is important that the | ||||
rule number selected for this <acronym>NAT</acronym> rule, in | rule number selected for this <acronym>NAT</acronym> rule, in | ||||
this example <literal>100</literal>, is higher than the first | this example <literal>100</literal>, is higher than the first | ||||
three rules and lower than the <literal>check-state</literal> | three rules and lower than the <literal>check-state</literal> | ||||
rule. Furthermore, because of the behavior of in-kernel | rule. Furthermore, because of the behavior of in-kernel | ||||
<acronym>NAT</acronym> it is advised to place a reassamble | <acronym>NAT</acronym> it is advised to place a reassamble | ||||
rule just before the first <acronym>NAT</acronym> rule and | rule just before the first <acronym>NAT</acronym> rule and | ||||
after the rules that allow traffic on trusted interface. | after the rules that allow traffic on trusted interface. | ||||
Normally, <acronym>IP</acronym> fragmentation should not | Normally, <acronym>IP</acronym> fragmentation should not | ||||
happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> | happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> | ||||
tunneling traffic it might and the reassmabling of fragments | tunneling traffic it might and the reassmabling of fragments | ||||
is necessary before handing the complete packet over to the | is necessary before handing the complete packet over to the | ||||
in-kernel <acronym>NAT</acronym> engine.</para> | in-kernel <acronym>NAT</acronym> facility.</para> | ||||
<note> | <note> | ||||
<para>The reassemble rule was not needed with userland | <para>The reassemble rule was not needed with userland | ||||
&man.natd.8; because the internal workings of the | &man.natd.8; because the internal workings of the | ||||
<application>IPFW</application> <literal>divert</literal> | <application>IPFW</application> <literal>divert</literal> | ||||
action already takes care of this automatically as also | action already takes care of reassambling packets before | ||||
stated in &man.ipfw.8;.</para> | delivery to the socket as also stated in &man.ipfw.8;.</para> | ||||
bcr: s/delivey/delivery/ | |||||
<para>The current <acronym>NAT</acronym> instance number and | <para>The <acronym>NAT</acronym> instance and rule number used | ||||
<acronym>NAT</acronym> rule number does not match with the | in this example does not match with the default | ||||
default <acronym>NAT</acronym> instance number and rule | <acronym>NAT</acronym> instance and rule number created by | ||||
number created by <filename>rc.firewall</filename> which is | <filename>rc.firewall</filename>. | ||||
a script to set up the baked-in default firewall rulesets | <filename>rc.firewall</filename> is a script that sets up | ||||
present in &os;.</para></note> | the default firewall rules present in &os;.</para></note> | ||||
<programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic | <programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic | ||||
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic | $cmd 010 allow all from any to any via lo0 # exclude loopback traffic | ||||
$cmd 099 reass all from any to any in # reassamble inbound packets | $cmd 099 reass all from any to any in # reassamble inbound packets | ||||
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets | $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets | ||||
# Allow the packet through if it has an existing entry in the dynamic rules table | # Allow the packet through if it has an existing entry in the dynamic rules table | ||||
$cmd 101 check-state</programlisting> | $cmd 101 check-state</programlisting> | ||||
<para>The outbound rules are modified to replace the | <para>The outbound rules are modified to replace the | ||||
<literal>allow</literal> action with the | <literal>allow</literal> action with the | ||||
<literal>$skip</literal> variable, indicating that rule | <literal>$skip</literal> variable, indicating that rule | ||||
processing will continue at rule <literal>1000</literal>. The | processing will continue at rule <literal>1000</literal>. The | ||||
seven <literal>tcp</literal> rules have been replaced by rule | seven <literal>tcp</literal> rules have been replaced by rule | ||||
<literal>125</literal> as the | <literal>125</literal> as the | ||||
<literal>$good_tcpo</literal> variable contains the | <literal>$good_tcpo</literal> variable contains the | ||||
seven allowed outbound ports.</para> | seven allowed outbound ports.</para> | ||||
<note> | <note> | ||||
<para>Remember that <application>IPFW</application>'s | <para>Remember that <application>IPFW</application>'s | ||||
firewall performance is largely determined by the number of | performance is largely determined by the number of rules | ||||
rules present in the ruleset.</para></note> | present in the ruleset.</para></note> | ||||
<programlisting># Authorized outbound packets | <programlisting># Authorized outbound packets | ||||
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks | $cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks | ||||
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks | $cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks | ||||
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks | $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks | ||||
$cmd 130 $skip icmp from any to any out via $pif $ks</programlisting> | $cmd 130 $skip icmp from any to any out via $pif $ks</programlisting> | ||||
<para>The inbound rules remain the same, except for the very | <para>The inbound rules remain the same, except for the very | ||||
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines | $cmd 1001 allow ip from any to any</programlisting> | ||||
generated as a response is recognized by the | generated as a response is recognized by the | ||||
<literal>check-state</literal> rule as belonging to an | <literal>check-state</literal> rule as belonging to an | ||||
existing session. It is then sent to rule | existing session. It is then sent to rule | ||||
<literal>1000</literal> to undergo | <literal>1000</literal> to undergo | ||||
<acronym>NAT</acronym> before being released to the outbound | <acronym>NAT</acronym> before being released to the outbound | ||||
interface.</para> | interface.</para> | ||||
<note> | <note> | ||||
<para>Transition from userland &man.natd.8; to in-kernel | <para>Transitioning from userland &man.natd.8; to in-kernel | ||||
<acronym>NAT</acronym> might seem seamless at first but | <acronym>NAT</acronym> might seem seamless at first but | ||||
there is small catch. When using the GENERIC kernel, | there is small catch. When using the GENERIC kernel, | ||||
<application>IPFW</application> will load the | <application>IPFW</application> will load the | ||||
<filename>libalias.ko</filename> | <filename>libalias.ko</filename> kernel module, when | ||||
kernel module, when <literal>firewall_nat_enable</literal> | <literal>firewall_nat_enable</literal> is enabled in | ||||
is enabled in <filename>rc.conf</filename>. Although, the | <filename>rc.conf</filename>. The | ||||
loaded module only provides basic <acronym>NAT</acronym> | <filename>libalias.ko</filename> kernel module only provides | ||||
functionality, whereas the userland implementation | basic <acronym>NAT</acronym> functionality, whereas the | ||||
&man.natd.8; has all functionality available without any | userland implementation &man.natd.8; has all | ||||
extra configuration from its userland library. All | <acronym>NAT</acronym> functionality available in its | ||||
userland library without any extra configuration. All | |||||
functionality refers to the following kernel modules that | functionality refers to the following kernel modules that | ||||
can additionally be loaded when needed besides the standard | can additionally be loaded when needed besides the standard | ||||
<filename>libalias.ko</filename> kernel module: | <filename>libalias.ko</filename> kernel module: | ||||
<filename>alias_cuseeme.ko</filename>, | <filename>alias_cuseeme.ko</filename>, | ||||
<filename>alias_ftp.ko</filename>, | <filename>alias_ftp.ko</filename>, | ||||
<filename>alias_bbt.ko</filename>, | <filename>alias_bbt.ko</filename>, | ||||
<filename>skinny.ko</filename>, <filename>irc.ko</filename>, | <filename>skinny.ko</filename>, <filename>irc.ko</filename>, | ||||
<filename>alias_pptp.ko</filename> and | <filename>alias_pptp.ko</filename> and | ||||
<filename>alias_smedia.ko</filename> using the | <filename>alias_smedia.ko</filename> using the | ||||
<literal>kld_list</literal> directive in | <literal>kld_list</literal> directive in | ||||
<filename>rc.conf</filename> to mimic the full functionality | <filename>rc.conf</filename>. If a custom kernel is used, | ||||
of the userland implementation. If a custom kernel is used, | |||||
the full functionality of the userland library can be | the full functionality of the userland library can be | ||||
compiled in, in the kernel, using the <option>option | compiled in, in the kernel, using the <option>options | ||||
LIBALIAS</option>.</para></note> | LIBALIAS</option>.</para></note> | ||||
<sect3> | <sect3> | ||||
<title>Port Redirection</title> | <title>Port Redirection</title> | ||||
<para>The drawback with <acronym>NAT</acronym> in general is | <para>The drawback with <acronym>NAT</acronym> in general is | ||||
that the <acronym>LAN</acronym> clients are not accessible | that the <acronym>LAN</acronym> clients are not accessible | ||||
from the Internet. Clients on the <acronym>LAN</acronym> | from the Internet. Clients on the <acronym>LAN</acronym> | ||||
Show All 34 Lines | <para>After adding these arguments to the configuration of | ||||
<acronym>NAT</acronym> instance 1 in the above ruleset, the | <acronym>NAT</acronym> instance 1 in the above ruleset, the | ||||
<acronym>TCP</acronym> ports will be port forwarded to the | <acronym>TCP</acronym> ports will be port forwarded to the | ||||
<acronym>LAN</acronym> client machines running the | <acronym>LAN</acronym> client machines running the | ||||
<acronym>IRC</acronym> and <acronym>HTTP</acronym> | <acronym>IRC</acronym> and <acronym>HTTP</acronym> | ||||
services.</para> | services.</para> | ||||
<programlisting>ipfw -q nat 1 config if $pif same_ports unreg_only reset \ | <programlisting>ipfw -q nat 1 config if $pif same_ports unreg_only reset \ | ||||
redirect_port tcp 192.168.0.2:6667 6667 \ | redirect_port tcp 192.168.0.2:6667 6667 \ | ||||
redirect_port tcp 192.1683.0.3:80 80</programlisting> | redirect_port tcp 192.168.0.3:80 80</programlisting> | ||||
<para>Port ranges over individual ports can be indicated with | <para>Port ranges over individual ports can be indicated with | ||||
<option>redirect_port</option>. For example, | <option>redirect_port</option>. For example, | ||||
<replaceable>tcp 192.168.0.2:2000-3000 | <replaceable>tcp 192.168.0.2:2000-3000 | ||||
2000-3000</replaceable> would redirect all connections | 2000-3000</replaceable> would redirect all connections | ||||
received on ports 2000 to 3000 to ports 2000 to 3000 on | received on ports 2000 to 3000 to ports 2000 to 3000 on | ||||
client <systemitem>A</systemitem>.</para> | client <systemitem>A</systemitem>.</para> | ||||
</sect3> | </sect3> | ||||
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines | <para>The external <acronym>IP</acronym> addresses on the | ||||
details.</para> | details.</para> | ||||
</sect3> | </sect3> | ||||
<sect3> | <sect3> | ||||
<title>Userspace <acronym>NAT</acronym></title> | <title>Userspace <acronym>NAT</acronym></title> | ||||
<para>Let us start with a statement: the userspace | <para>Let us start with a statement: the userspace | ||||
<acronym>NAT</acronym> implementation: &man.natd.8;, has | <acronym>NAT</acronym> implementation: &man.natd.8;, has | ||||
more overhead than in-kernel <acronym>NAT</acronym>. For | more overhead than in-kernel <acronym>NAT</acronym>. For | ||||
&man.natd.8; to translate packets, the packets have to be | &man.natd.8; to translate packets, the packets have to be | ||||
copied from the kernel to userspace and back which brings in | copied from the kernel to userspace and back which brings in | ||||
extra overhead that is not present with in-kernel | extra overhead that is not present with in-kernel | ||||
<acronym>NAT</acronym>.</para> | <acronym>NAT</acronym>.</para> | ||||
<para>To enable the userpace <acronym>NAT</acronym> daemon | <para>To enable the userpace <acronym>NAT</acronym> daemon | ||||
&man.natd.8; at boot time, the following is a minimum | &man.natd.8; at boot time, the following is a minimum | ||||
configuration in <filename>/etc/rc.conf</filename>. Where | configuration in <filename>/etc/rc.conf</filename>. Where | ||||
<option>natd_interface</option> is set to the name of the | <option>natd_interface</option> is set to the name of the | ||||
<acronym>NIC</acronym> attached to the Internet. The | <acronym>NIC</acronym> attached to the Internet. The | ||||
&man.rc.8; script of &man.natd.8; will automatically check | &man.rc.8; script of &man.natd.8; will automatically check | ||||
if a dynamic <acronym>IP</acronym> address is used and | if a dynamic <acronym>IP</acronym> address is used and | ||||
configure itself to handle that.</para> | configure itself to handle that.</para> | ||||
<programlisting>gateway_enable="YES" | <programlisting>gateway_enable="YES" | ||||
natd_enable="YES" | natd_enable="YES" | ||||
natd_interface="rl0"</programlisting> | natd_interface="rl0"</programlisting> | ||||
<para>In general, the above ruleset as explained for in-kernel | <para>In general, the above ruleset as explained for in-kernel | ||||
<acronym>NAT</acronym> can also be used together with | <acronym>NAT</acronym> can also be used together with | ||||
&man.natd.8;. The only exceptions are the configuration of | &man.natd.8;. The exceptions are the configuration of the | ||||
the in-kernel <acronym>NAT</acronym> instance <literal>(ipfw | in-kernel <acronym>NAT</acronym> instance <literal>(ipfw -q | ||||
-q nat 1 config ...)</literal> not being applicable any | nat 1 config ...)</literal> which is not needed together | ||||
more, rule number 100 and 1000 will have to change sligthly | with reassemble rule 99 because its functionality is | ||||
as below, and reassemble rule 99 is not needed anymore | included in the <option>divert</option> action. Rule number | ||||
as the <option>divert</option> action is used which covers | 100 and 1000 will have to change sligthly as shown | ||||
fragmentation.</para> | below.</para> | ||||
<programlisting>$cmd 100 divert natd ip from any to any in via $pif | <programlisting>$cmd 100 divert natd ip from any to any in via $pif | ||||
$cmd 1000 divert natd ip from any to any out via $pif</programlisting> | $cmd 1000 divert natd ip from any to any out via $pif</programlisting> | ||||
<para>To configure port or address redirection, a similar | <para>To configure port or address redirection, a similar | ||||
syntax as with in-kernel <acronym>NAT</acronym> is used. | syntax as with in-kernel <acronym>NAT</acronym> is used. | ||||
Although, now, instead of specifying the configuration in | Although, now, instead of specifying the configuration in | ||||
our ruleset script like with in-kernel | our ruleset script like with in-kernel | ||||
▲ Show 20 Lines • Show All 215 Lines • ▼ Show 20 Lines | &prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen> | ||||
refer to the instructions in <xref linkend="kernelconfig"/>. | refer to the instructions in <xref linkend="kernelconfig"/>. | ||||
The following options are available for the | The following options are available for the | ||||
custom kernel configuration file:</para> | custom kernel configuration file:</para> | ||||
<programlisting>options IPFIREWALL # enables IPFW | <programlisting>options IPFIREWALL # enables IPFW | ||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) | options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) | ||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry | options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry | ||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied | options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied | ||||
options IPFIREWALL_NAT # enables in-kernel NAT support | options IPFIREWALL_NAT # enables basic in-kernel NAT support | ||||
options LIBALIAS # enables full in-kernel NAT support | |||||
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support | options IPFIREWALL_NAT64 # enables in-kernel NAT64 support | ||||
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support | options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support | ||||
options IPFIREWALL_PMOD # enables protocols modification module support | options IPFIREWALL_PMOD # enables protocols modification module support | ||||
options IPDIVERT # enables NAT through natd(8)</programlisting> | options IPDIVERT # enables NAT through natd(8)</programlisting> | ||||
<note> | <note> | ||||
<para><application>IPFW</application> can be loaded as | <para><application>IPFW</application> can be loaded as | ||||
a kernel module: options above are built by default | a kernel module: options above are built by default | ||||
▲ Show 20 Lines • Show All 1,463 Lines • Show Last 20 Lines |
s/delivey/delivery/