Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Show First 20 Lines • Show All 624 Lines • ▼ Show 20 Lines | useful when debugging rules.</para> | ||||
<sect3 xml:id="pftut-gateway"> | <sect3 xml:id="pftut-gateway"> | ||||
<title>A Simple Gateway with NAT</title> | <title>A Simple Gateway with NAT</title> | ||||
<para>This section demonstrates how to configure a &os; system | <para>This section demonstrates how to configure a &os; system | ||||
running <application>PF</application> to act as a gateway | running <application>PF</application> to act as a gateway | ||||
for at least one other machine. The gateway needs at least | for at least one other machine. The gateway needs at least | ||||
two network interfaces, each connected to a separate | two network interfaces, each connected to a separate | ||||
network. In this example, <filename>xl1</filename> is | network. In this example, <filename>xl0</filename> is | ||||
connected to the Internet and <filename>xl0</filename> is | connected to the Internet and <filename>xl1</filename> is | ||||
connected to the internal network.</para> | connected to the internal network.</para> | ||||
<para>First, enable the gateway to let the machine | <para>First, enable the gateway to let the machine | ||||
forward the network traffic it receives on one interface to | forward the network traffic it receives on one interface to | ||||
another interface. This <application>sysctl</application> | another interface. This <application>sysctl</application> | ||||
setting will forward <acronym>IPv4</acronym> packets:</para> | setting will forward <acronym>IPv4</acronym> packets:</para> | ||||
<screen>&prompt.root; <userinput>sysctl net.inet.ip.forwarding=1</userinput></screen> | <screen>&prompt.root; <userinput>sysctl net.inet.ip.forwarding=1</userinput></screen> | ||||
Show All 9 Lines | pass proto udp to any port $udp_services keep state</programlisting> | ||||
<screen>&prompt.root; <userinput>sysrc gateway_enable=yes</userinput> | <screen>&prompt.root; <userinput>sysrc gateway_enable=yes</userinput> | ||||
&prompt.root; <userinput>sysrc ipv6_gateway_enable=yes</userinput></screen> | &prompt.root; <userinput>sysrc ipv6_gateway_enable=yes</userinput></screen> | ||||
<para>Verify with <command>ifconfig</command> that both of the | <para>Verify with <command>ifconfig</command> that both of the | ||||
interfaces are up and running.</para> | interfaces are up and running.</para> | ||||
<para>Next, create the <application>PF</application> rules to | <para>Next, create the <application>PF</application> rules to | ||||
allow the gateway to pass traffic. While the following rule | allow the gateway to pass traffic. While the following rule | ||||
allows stateful traffic to pass from the Internet to hosts | allows stateful traffic from hosts of the internal network | ||||
on the network, the <literal>to</literal> keyword does not | to pass to the gateway, the <literal>to</literal> keyword | ||||
guarantee passage all the way from source to | does not guarantee passage all the way from source to | ||||
destination:</para> | destination:</para> | ||||
<programlisting>pass in on xl1 from xl1:network to xl0:network port $ports keep state</programlisting> | <programlisting>pass in on xl1 from xl1:network to xl0:network port $ports keep state</programlisting> | ||||
<para>That rule only lets the traffic pass in to the gateway | <para>That rule only lets the traffic pass in to the gateway | ||||
on the internal interface. To let the packets go further, a | on the internal interface. To let the packets go further, a | ||||
matching rule is needed:</para> | matching rule is needed:</para> | ||||
▲ Show 20 Lines • Show All 3,580 Lines • Show Last 20 Lines |