View Single Post
  #1   (View Single Post)  
Old 13th July 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Default Couple of network questions (NAT, firewalls)

First to say hello - I've been redirected here from bsdforums...
I'm a recent FreeBSD 7 user and I want to do in FreeBSD things I've done on Linux
Let's start with firewalls.
I've compiled my kernel to support both ipfw and ipf. The first surprise was loosing all networks upon reboot, but I understood that this is default policy of these firewalls. I solved that for ipfw with following FIREWALL_SCRIPT
ipfw add 65000 allow ip from any to any
I still can't understand how to disable ipf (I don't want it currently) and I have to type after every reboot:
ipf -D
I tried with ipfilter_enable="NO" in rc.conf but this is not the way. I was told to compile ipfilter as a module and not include this into the kernel itself. How to do it? Currently I have 'options IPFILTER' at the kernel config. If I drop this out I won't have ipfilter built in, but will it automatically compile as a modul? How to mark which features I want as modules?

Issue number 2 - NAT. I succeeded running natd and a simple divert rule for ipfw did the job:
ipfw add 500 divert natd all from any to any via re0
However I want only one machine to have access to this. I tried these:
pfw add 500 divert natd all from to any via re0 pfw add 500 divert natd all from any to via re0
(Ofcourse after flushing rules)
OK that is interesting. I was logged in from and after I changed the divert rule I lost connection from to the server (which is 1 meter away and doesn't have any other rules in the firewall list exept pass all). Why is that happening? I'm sshing directly to the internal address - which is an alias of re0, which doesn't care of what NAT state is. It should be pingable even if no NAT is established. Right?

The second thing I tried is to pass some options to the natd daemon (like -redirect_address). For the purpose of that I first killed the natd daemon, and guess what - the secondary machine got cutoff again. So what is that connection between nat and ssh? I'm doing a simple peer to peer connection and there is nothing wrong with the IP settings.
Am I going into the right way with -redirect_address? I didn't manage to try this out after the connection was cut.
And how can I redirect a public address if my ISP have provided several? Is it with that -redirect_address option?
Reply With Quote