svn commit: r44081 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Wed Feb 26 23:03:12 UTC 2014
Author: dru
Date: Wed Feb 26 23:03:12 2014
New Revision: 44081
URL: http://svnweb.freebsd.org/changeset/doc/44081
Log:
Initial merge of IPFW NAT content.
Tomorrow's commits will review the technical content.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 22:19:04 2014 (r44080)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 23:03:12 2014 (r44081)
@@ -1999,6 +1999,18 @@ options IPDIVERT # enables NAT</pro
<replaceable>interface-name</replaceable> to specify
the interface the packet is traveling over.</para>
+ <note>
+ <para>When first creating or testing a firewall ruleset,
+ consider temporarily setting this tunable:</para>
+
+ <programlisting>net.inet.ip.fw.default_to_accept="1"</programlisting>
+
+ <para>This sets the default policy of &man.ipfw.8; to
+ be more permissive than the default <literal>deny ip from
+ any to any</literal>, making it slightly more difficult
+ to get locked out of the system right after a reboot.</para>
+ </note>
+
<para>The firewall script begins by indicating that it is a
Bourne shell script and flushes any existing rules. It then
creates the <literal>cmd</literal> variable so that
@@ -2122,31 +2134,86 @@ pif="dc0" # interface name of NIC at
</sect2>
<sect2 xml:id="network-natd">
+ <info>
<title>Configuring <acronym>NAT</acronym></title>
+ <authorgroup>
+ <author>
+ <personname>
+ <firstname>Chern</firstname>
+ <surname>Lee</surname>
+ </personname>
+ <contrib>Contributed by </contrib>
+ </author>
+ </authorgroup>
+ </info>
<indexterm>
<primary>NAT</primary>
<secondary>and <application>IPFW</application></secondary>
</indexterm>
- <para>There are some additional configuration statements that
- need to be enabled to activate the <acronym>NAT</acronym>
- function of <application>IPFW</application>. For a
- customized kernel, the kernel configuration file needs
- <literal>option IPDIVERT</literal> added to the other
+ <para>&os;'s built-in
+ <acronym>NAT</acronym> daemon, &man.natd.8;, works in
+ conjunction with <application>IPFW</application> to provide
+ network address translation. This can be used to provide an
+ Internet Connection Sharing solution so that
+ several internal computers can connect to the Internet using
+ <acronym>IP</acronym> address.</para>
+
+ <para>To do this, the &os; machine connected to the Internet
+ must act as a gateway. This gateway machine must have two
+ <acronym>NIC</acronym>s: one connects to the Internet router
+ and the other connects to a <acronym>LAN</acronym>. All the
+ machines on the <acronym>LAN</acronym> are connected through
+ a hub or switch.</para>
+
+ <para>Each machine and interface behind the
+ <acronym>LAN</acronym> should be assigned
+ <acronym>IP</acronym> addresses in the private network space,
+ as defined by <link
+ xlink:href="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC
+ 1918</link>, and have a default gateway of the
+ &man.natd.8; machine's internal <acronym>IP</acronym>
+ address.</para>
+
+ <para>Some additional configuration is
+ needed in order to activate the <acronym>NAT</acronym>
+ function of <application>IPFW</application>. If the system
+ has a custom kernel, the kernel configuration file needs to
+ include <literal>option IPDIVERT</literal> with the other
<literal>IPFIREWALL</literal> options.</para>
- <para>In addition to the normal
- <application>IPFW</application> options in
- <filename>/etc/rc.conf</filename>, the following are
- needed:</para>
-
- <programlisting>natd_enable="YES" # Enable <acronym>NAT</acronym>D function
-natd_interface="rl0" # interface name of public Internet NIC
+ <para>To enable firewall and <acronym>NAT</acronym> support at
+ boot time, the following must be in
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>gateway_enable="YES" # enables the gateway function
+natd_enable="YES" # enables the <acronym>NAT</acronym> function
+natd_interface="rl0" # specify interface name of NIC attached to Internet
natd_flags="-dynamic -m" # -m = preserve port numbers if possible</programlisting>
- <para>Utilizing stateful rules with a <literal>divert
+ <note>
+ <para>It is also possible to use a configuration file for
+ &man.natd.8; when there are too many options to pass. In
+ this case, the configuration file must be defined by adding
+ the following line to
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
+
+ <para>A list of configuration options, one per line, can be
+ added to <filename>/etc/natd.conf</filename>. For
+ example:</para>
+
+ <programlisting>redirect_port tcp 192.168.0.2:6667 6667
+redirect_port tcp 192.168.0.3:80 80</programlisting>
+
+ <para>For more information about this configuration file,
+ consult &man.natd.8;.</para>
+ </note>
+
+ <para>Utilizing stateful rules with a <literal>divert
natd</literal> rule complicates the ruleset logic. The
positioning of the <literal>check-state</literal>, and
<literal>divert natd</literal> rules in the ruleset is
@@ -2431,7 +2498,131 @@ pif="rl0" # public interface name of
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################</programlisting>
- </sect2>
+
+ <sect3>
+ <title>Port Redirection</title>
+
+ <para>The drawback with &man.natd.8; is that the
+ <acronym>LAN</acronym> clients are not accessible from the
+ Internet. Clients on the <acronym>LAN</acronym> can make
+ outgoing connections to the world but cannot receive incoming
+ ones. This presents a problem if trying to run Internet
+ services on one of the <acronym>LAN</acronym> client machines.
+ A simple way around this is to redirect selected Internet
+ ports on the &man.natd.8; machine to a <acronym>LAN</acronym>
+ client.</para>
+
+ <para>For example, an <acronym>IRC</acronym> server runs on
+ client <systemitem>A</systemitem> and a web server runs on
+ client <systemitem>B</systemitem>. For this to work properly,
+ connections received on ports 6667 (<acronym>IRC</acronym>)
+ and 80 (<acronym>HTTP</acronym>) must be redirected to the
+ respective machines.</para>
+
+ <para>The syntax for <option>-redirect_port</option> is as
+ follows:</para>
+
+ <programlisting> -redirect_port proto targetIP:targetPORT[-targetPORT]
+ [aliasIP:]aliasPORT[-aliasPORT]
+ [remoteIP[:remotePORT[-remotePORT]]]</programlisting>
+
+ <para>In the above example, the argument should be:</para>
+
+ <programlisting> -redirect_port tcp 192.168.0.2:6667 6667
+ -redirect_port tcp 192.168.0.3:80 80</programlisting>
+
+ <para>This redirects the proper <acronym>TCP</acronym> ports
+ to the <acronym>LAN</acronym> client machines.</para>
+
+ <para>Port ranges over individual ports can be indicated with
+ <option>-redirect_port</option>. For example,
+ <replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable>
+ would redirect all connections received on ports 2000 to 3000
+ to ports 2000 to 3000 on client
+ <systemitem>A</systemitem>.</para>
+
+ <para>These options can be used when directly running
+ &man.natd.8;, placed within the
+ <literal>natd_flags=""</literal> option in
+ <filename>/etc/rc.conf</filename>, or passed via a
+ configuration file.</para>
+
+ <para>For further configuration options, consult
+ &man.natd.8;</para>
+ </sect3>
+
+ <sect3>
+ <title>Address Redirection</title>
+
+ <indexterm>
+ <primary>address redirection</primary>
+ </indexterm>
+
+ <para>Address redirection is useful if more than one
+ <acronym>IP</acronym> address is available. Each
+ <acronym>LAN</acronym> client can be assigned its own
+ external <acronym>IP</acronym> address by &man.natd.8;,
+ which will then rewrite outgoing packets from the
+ <acronym>LAN</acronym> clients with the proper external
+ <acronym>IP</acronym> address and redirects all traffic
+ incoming on that particular <acronym>IP</acronym> address
+ back to the specific <acronym>LAN</acronym> client. This is
+ also known as static <acronym>NAT</acronym>. For example,
+ if <acronym>IP</acronym> addresses <systemitem
+ class="ipaddress">128.1.1.1</systemitem>, <systemitem
+ class="ipaddress">128.1.1.2</systemitem>, and <systemitem
+ class="ipaddress">128.1.1.3</systemitem> are available,
+ <systemitem class="ipaddress">128.1.1.1</systemitem> can be
+ used as the &man.natd.8; machine's external
+ <acronym>IP</acronym> address, while <systemitem
+ class="ipaddress">128.1.1.2</systemitem> and <systemitem
+ class="ipaddress">128.1.1.3</systemitem> are forwarded back
+ to <acronym>LAN</acronym> clients <systemitem>A</systemitem>
+ and <systemitem>B</systemitem>.</para>
+
+ <para>The <option>-redirect_address</option> syntax is as
+ follows:</para>
+
+ <programlisting>-redirect_address localIP publicIP</programlisting>
+
+
+ <informaltable frame="none" pgwide="1">
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>localIP</entry>
+ <entry>The internal <acronym>IP</acronym> address of
+ the <acronym>LAN</acronym> client.</entry>
+ </row>
+
+ <row>
+ <entry>publicIP</entry>
+ <entry>The external <acronym>IP</acronym> address
+ corresponding to the <acronym>LAN</acronym>
+ client.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>In the example, this argument would read:</para>
+
+ <programlisting>-redirect_address 192.168.0.2 128.1.1.2
+-redirect_address 192.168.0.3 128.1.1.3</programlisting>
+
+ <para>Like <option>-redirect_port</option>, these arguments are
+ placed within the <literal>natd_flags=""</literal> option
+ of <filename>/etc/rc.conf</filename>, or passed via a
+ configuration file. With address redirection, there is no
+ need for port redirection since all data received on a
+ particular <acronym>IP</acronym> address is redirected.</para>
+
+ <para>The external <acronym>IP</acronym> addresses on the
+ &man.natd.8; machine must be active and aliased to the
+ external interface. Refer to &man.rc.conf.5; for
+ details.</para>
+ </sect3>
+</sect2>
<sect2 xml:id="firewalls-ipfw-cmd">
<title>The <application>IPFW</application> Command</title>
More information about the svn-doc-head
mailing list