- Simplify multiple sentences to remove the words: furthermore, also, ...
- Fix typo's, IP address is redirect_port example & visible double space after sentence stop - Restructure TSO comment together with the in-kernel NAT instance paragraph - Add kernel option for libalias full functionality - Unify engine/facility/... to facility Submitted by: Dries Michiels (driesm.michiels_gmail.com) Approved by: bcr@ Differential Revision: https://reviews.freebsd.org/D23426
This commit is contained in:
Benedict Reuschling
parent
d154edb528
commit
21fce33ca7
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=53911
1 changed files with 85 additions and 87 deletions
|
|
@ -2153,15 +2153,13 @@ pif="dc0" # interface name of NIC attached to Internet</programlisting>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>&os;'s <application>IPFW</application> firewall has two
|
<para>&os;'s <application>IPFW</application> firewall has two
|
||||||
implementations of <acronym>NAT</acronym>: one being the
|
implementations of <acronym>NAT</acronym>: the userland
|
||||||
userland &man.natd.8; daemon, and the more recent
|
implementation &man.natd.8;, and the more recent in-kernel
|
||||||
<application>IPFW</application>'s built-in
|
<acronym>NAT</acronym> implementation. Both work in
|
||||||
<acronym>NAT</acronym> facility also known as in-kernel
|
conjunction with <application>IPFW</application> to provide
|
||||||
<acronym>NAT</acronym>. Both work in conjunction with
|
network address translation. This can be used to provide an
|
||||||
<application>IPFW</application> to provide network address
|
Internet Connection Sharing solution so that several internal
|
||||||
translation. This can be used to provide an Internet
|
computers can connect to the Internet using a single public
|
||||||
Connection Sharing solution so that several internal computers
|
|
||||||
can connect to the Internet using a single public
|
|
||||||
<acronym>IP</acronym> address.</para>
|
<acronym>IP</acronym> address.</para>
|
||||||
|
|
||||||
<para>To do this, the &os; machine connected to the Internet
|
<para>To do this, the &os; machine connected to the Internet
|
||||||
|
|
@ -2176,7 +2174,7 @@ pif="dc0" # interface name of NIC attached to Internet</programlisting>
|
||||||
1918</link>.</para>
|
1918</link>.</para>
|
||||||
|
|
||||||
<para>Some additional configuration is needed in order to enable
|
<para>Some additional configuration is needed in order to enable
|
||||||
the in-kernel <acronym>NAT</acronym> function of
|
the in-kernel <acronym>NAT</acronym> facility of
|
||||||
<application>IPFW</application>. To enable in-kernel
|
<application>IPFW</application>. To enable in-kernel
|
||||||
<acronym>NAT</acronym> support at boot time, the following
|
<acronym>NAT</acronym> support at boot time, the following
|
||||||
must be set in <filename>/etc/rc.conf</filename>:</para>
|
must be set in <filename>/etc/rc.conf</filename>:</para>
|
||||||
|
|
@ -2186,9 +2184,9 @@ firewall_enable="YES"
|
||||||
firewall_nat_enable="YES"</programlisting>
|
firewall_nat_enable="YES"</programlisting>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>When <literal>firewall_enable</literal> is not set,
|
<para>When <literal>firewall_nat_enable</literal> is set but
|
||||||
but <literal>firewall_nat_enable</literal> is, it will have
|
<literal>firewall_enable</literal> is not, it will have no
|
||||||
no effect and do nothing, because the in-kernel
|
effect and do nothing. This is because the in-kernel
|
||||||
<acronym>NAT</acronym> implementation is only compatible
|
<acronym>NAT</acronym> implementation is only compatible
|
||||||
with <application>IPFW</application>.</para></note>
|
with <application>IPFW</application>.</para></note>
|
||||||
|
|
||||||
|
|
@ -2196,29 +2194,15 @@ firewall_nat_enable="YES"</programlisting>
|
||||||
of the <acronym>NAT</acronym> rule is critical and the
|
of the <acronym>NAT</acronym> rule is critical and the
|
||||||
<literal>skipto</literal> action is used. The
|
<literal>skipto</literal> action is used. The
|
||||||
<literal>skipto</literal> action requires a rule number so
|
<literal>skipto</literal> action requires a rule number so
|
||||||
that it knows which rule to jump to. Furthermore, because
|
that it knows which rule to jump to. The example below builds
|
||||||
of the architecture of &man.libalias.3;, a library implemented
|
upon the firewall ruleset shown in the previous section. It
|
||||||
as a kernel module used for the in-kernel
|
adds some additional entries and modifies some existing rules
|
||||||
<acronym>NAT</acronym> facility of
|
in order to configure the firewall for in-kernel
|
||||||
<application>IPFW</application>, it is necessary to disable
|
<acronym>NAT</acronym>. It starts by adding some additional
|
||||||
TCP segmentation offloading, or in short
|
variables which represent the rule number to skip to, the
|
||||||
<acronym>TSO</acronym>. <acronym>TSO</acronym> can be
|
<literal>keep-state</literal> option, and a list of
|
||||||
disabled on a per network interface basis by using
|
<acronym>TCP</acronym> ports which will be used to reduce the
|
||||||
&man.ifconfig.8; or on a system wide basis using
|
number of rules.</para>
|
||||||
&man.sysctl.8;. To disable <acronym>TSO</acronym> system
|
|
||||||
wide, the following must be set in
|
|
||||||
<filename>/etc/sysctl.conf</filename>:</para>
|
|
||||||
|
|
||||||
<programlisting>net.inet.tcp.tso="0"</programlisting>
|
|
||||||
|
|
||||||
<para>The example below builds upon the firewall ruleset
|
|
||||||
shown in the previous section. It adds some additional
|
|
||||||
entries and modifies some existing rules in order to configure
|
|
||||||
the firewall for in-kernel <acronym>NAT</acronym>. It starts
|
|
||||||
by adding some additional variables which represent the rule
|
|
||||||
number to skip to, the <literal>keep-state</literal> option,
|
|
||||||
and a list of <acronym>TCP</acronym> ports which will be used
|
|
||||||
to reduce the number of rules.</para>
|
|
||||||
|
|
||||||
<programlisting>#!/bin/sh
|
<programlisting>#!/bin/sh
|
||||||
ipfw -q -f flush
|
ipfw -q -f flush
|
||||||
|
|
@ -2228,28 +2212,41 @@ pif=dc0
|
||||||
ks="keep-state"
|
ks="keep-state"
|
||||||
good_tcpo="22,25,37,53,80,443,110"</programlisting>
|
good_tcpo="22,25,37,53,80,443,110"</programlisting>
|
||||||
|
|
||||||
<para>A <acronym>NAT</acronym> instance will also be
|
<para>With in-kernel <acronym>NAT</acronym> it is
|
||||||
configured. With in-kernel <acronym>NAT</acronym> it is
|
necessary to disable TCP segmentation offloading
|
||||||
possible to have multiple <acronym>NAT</acronym> instances
|
(<acronym>TSO</acronym>) due to the architecture of
|
||||||
each with their own configuration. Although, for this example
|
&man.libalias.3;, a library implemented as a kernel module to
|
||||||
only one <acronym>NAT</acronym> instance is needed;
|
provide the in-kernel <acronym>NAT</acronym> facility of
|
||||||
|
<application>IPFW</application>. <acronym>TSO</acronym> can
|
||||||
|
be disabled on a per network interface basis using
|
||||||
|
&man.ifconfig.8; or on a system wide basis using
|
||||||
|
&man.sysctl.8;. To disable <acronym>TSO</acronym> system
|
||||||
|
wide, the following must be set it
|
||||||
|
<filename>/etc/sysctl.conf</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>net.inet.tcp.tso="0"</programlisting>
|
||||||
|
|
||||||
|
<para>A <acronym>NAT</acronym> instance will also be configured.
|
||||||
|
It is possible to have multiple <acronym>NAT</acronym>
|
||||||
|
instances each with their own configuration. For this example
|
||||||
|
only one <acronym>NAT</acronym> instance is needed,
|
||||||
<acronym>NAT</acronym> instance number 1. The configuration
|
<acronym>NAT</acronym> instance number 1. The configuration
|
||||||
takes a few arguments and flags such as: <option>if</option>
|
can take a few options such as: <option>if</option> which
|
||||||
which indicates the public interface,
|
indicates the public interface, <option>same_ports</option>
|
||||||
<option>same_ports</option> which takes care that alliased
|
which takes care that alliased ports and local port numbers
|
||||||
ports and local port numbers are mapped the same,
|
are mapped the same, <option>unreg_only</option> will result
|
||||||
<option>unreg_only</option> will result in only unregistered
|
in only unregistered (private) address spaces to be processed
|
||||||
(private) address spaces to be processed by the
|
by the <acronym>NAT</acronym> instance, and
|
||||||
<acronym>NAT</acronym> instance, and <option>reset</option>
|
<option>reset</option> which will help to keep a functioning
|
||||||
which will help to keep a functioning <acronym>NAT</acronym>
|
<acronym>NAT</acronym> instance even when the public
|
||||||
instance even when the public <acronym>IP</acronym> address of
|
<acronym>IP</acronym> address of the
|
||||||
the <application>IPFW</application> machine changes. For all
|
<application>IPFW</application> machine changes. For all
|
||||||
possible options that can be passed to a single
|
possible options that can be passed to a single
|
||||||
<acronym>NAT</acronym> instance configuration consult
|
<acronym>NAT</acronym> instance configuration consult
|
||||||
&man.ipfw.8;. Furthermore, because of the nature of a
|
&man.ipfw.8;. When configuring a stateful
|
||||||
stateful <acronym>NAT</acronym>ing firewall, it is neseccary
|
<acronym>NAT</acronym>ing firewall, it is neseccary to allow
|
||||||
to allow translated packets to be reinjected in the firewall
|
translated packets to be reinjected in the firewall for
|
||||||
for further processing, this can be achieved by disabling
|
further processing. This can be achieved by disabling
|
||||||
<option>one_pass</option> behavior at the start of the
|
<option>one_pass</option> behavior at the start of the
|
||||||
firewall script.</para>
|
firewall script.</para>
|
||||||
|
|
||||||
|
|
@ -2272,21 +2269,21 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
||||||
happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym>
|
happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym>
|
||||||
tunneling traffic it might and the reassmabling of fragments
|
tunneling traffic it might and the reassmabling of fragments
|
||||||
is necessary before handing the complete packet over to the
|
is necessary before handing the complete packet over to the
|
||||||
in-kernel <acronym>NAT</acronym> engine.</para>
|
in-kernel <acronym>NAT</acronym> facility.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>The reassemble rule was not needed with userland
|
<para>The reassemble rule was not needed with userland
|
||||||
&man.natd.8; because the internal workings of the
|
&man.natd.8; because the internal workings of the
|
||||||
<application>IPFW</application> <literal>divert</literal>
|
<application>IPFW</application> <literal>divert</literal>
|
||||||
action already takes care of this automatically as also
|
action already takes care of reassambling packets before
|
||||||
stated in &man.ipfw.8;.</para>
|
delivery to the socket as also stated in &man.ipfw.8;.</para>
|
||||||
|
|
||||||
<para>The current <acronym>NAT</acronym> instance number and
|
<para>The <acronym>NAT</acronym> instance and rule number used
|
||||||
<acronym>NAT</acronym> rule number does not match with the
|
in this example does not match with the default
|
||||||
default <acronym>NAT</acronym> instance number and rule
|
<acronym>NAT</acronym> instance and rule number created by
|
||||||
number created by <filename>rc.firewall</filename> which is
|
<filename>rc.firewall</filename>.
|
||||||
a script to set up the baked-in default firewall rulesets
|
<filename>rc.firewall</filename> is a script that sets up
|
||||||
present in &os;.</para></note>
|
the default firewall rules present in &os;.</para></note>
|
||||||
|
|
||||||
<programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
|
<programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
|
||||||
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
|
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
|
||||||
|
|
@ -2306,8 +2303,8 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>Remember that <application>IPFW</application>'s
|
<para>Remember that <application>IPFW</application>'s
|
||||||
firewall performance is largely determined by the number of
|
performance is largely determined by the number of rules
|
||||||
rules present in the ruleset.</para></note>
|
present in the ruleset.</para></note>
|
||||||
|
|
||||||
<programlisting># Authorized outbound packets
|
<programlisting># Authorized outbound packets
|
||||||
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
|
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
|
||||||
|
|
@ -2375,17 +2372,18 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
||||||
interface.</para>
|
interface.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>Transition from userland &man.natd.8; to in-kernel
|
<para>Transitioning from userland &man.natd.8; to in-kernel
|
||||||
<acronym>NAT</acronym> might seem seamless at first but
|
<acronym>NAT</acronym> might seem seamless at first but
|
||||||
there is small catch. When using the GENERIC kernel,
|
there is small catch. When using the GENERIC kernel,
|
||||||
<application>IPFW</application> will load the
|
<application>IPFW</application> will load the
|
||||||
<filename>libalias.ko</filename>
|
<filename>libalias.ko</filename> kernel module, when
|
||||||
kernel module, when <literal>firewall_nat_enable</literal>
|
<literal>firewall_nat_enable</literal> is enabled in
|
||||||
is enabled in <filename>rc.conf</filename>. Although, the
|
<filename>rc.conf</filename>. The
|
||||||
loaded module only provides basic <acronym>NAT</acronym>
|
<filename>libalias.ko</filename> kernel module only provides
|
||||||
functionality, whereas the userland implementation
|
basic <acronym>NAT</acronym> functionality, whereas the
|
||||||
&man.natd.8; has all functionality available without any
|
userland implementation &man.natd.8; has all
|
||||||
extra configuration from its userland library. All
|
<acronym>NAT</acronym> functionality available in its
|
||||||
|
userland library without any extra configuration. All
|
||||||
functionality refers to the following kernel modules that
|
functionality refers to the following kernel modules that
|
||||||
can additionally be loaded when needed besides the standard
|
can additionally be loaded when needed besides the standard
|
||||||
<filename>libalias.ko</filename> kernel module:
|
<filename>libalias.ko</filename> kernel module:
|
||||||
|
|
@ -2396,10 +2394,9 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
||||||
<filename>alias_pptp.ko</filename> and
|
<filename>alias_pptp.ko</filename> and
|
||||||
<filename>alias_smedia.ko</filename> using the
|
<filename>alias_smedia.ko</filename> using the
|
||||||
<literal>kld_list</literal> directive in
|
<literal>kld_list</literal> directive in
|
||||||
<filename>rc.conf</filename> to mimic the full functionality
|
<filename>rc.conf</filename>. If a custom kernel is used,
|
||||||
of the userland implementation. If a custom kernel is used,
|
|
||||||
the full functionality of the userland library can be
|
the full functionality of the userland library can be
|
||||||
compiled in, in the kernel, using the <option>option
|
compiled in, in the kernel, using the <option>options
|
||||||
LIBALIAS</option>.</para></note>
|
LIBALIAS</option>.</para></note>
|
||||||
|
|
||||||
<sect3>
|
<sect3>
|
||||||
|
|
@ -2450,7 +2447,7 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
|
||||||
|
|
||||||
<programlisting>ipfw -q nat 1 config if $pif same_ports unreg_only reset \
|
<programlisting>ipfw -q nat 1 config if $pif same_ports unreg_only reset \
|
||||||
redirect_port tcp 192.168.0.2:6667 6667 \
|
redirect_port tcp 192.168.0.2:6667 6667 \
|
||||||
redirect_port tcp 192.1683.0.3:80 80</programlisting>
|
redirect_port tcp 192.168.0.3:80 80</programlisting>
|
||||||
|
|
||||||
<para>Port ranges over individual ports can be indicated with
|
<para>Port ranges over individual ports can be indicated with
|
||||||
<option>redirect_port</option>. For example,
|
<option>redirect_port</option>. For example,
|
||||||
|
|
@ -2539,13 +2536,13 @@ natd_interface="rl0"</programlisting>
|
||||||
|
|
||||||
<para>In general, the above ruleset as explained for in-kernel
|
<para>In general, the above ruleset as explained for in-kernel
|
||||||
<acronym>NAT</acronym> can also be used together with
|
<acronym>NAT</acronym> can also be used together with
|
||||||
&man.natd.8;. The only exceptions are the configuration of
|
&man.natd.8;. The exceptions are the configuration of the
|
||||||
the in-kernel <acronym>NAT</acronym> instance <literal>(ipfw
|
in-kernel <acronym>NAT</acronym> instance <literal>(ipfw -q
|
||||||
-q nat 1 config ...)</literal> not being applicable any
|
nat 1 config ...)</literal> which is not needed together
|
||||||
more, rule number 100 and 1000 will have to change sligthly
|
with reassemble rule 99 because its functionality is
|
||||||
as below, and reassemble rule 99 is not needed anymore
|
included in the <option>divert</option> action. Rule number
|
||||||
as the <option>divert</option> action is used which covers
|
100 and 1000 will have to change sligthly as shown
|
||||||
fragmentation.</para>
|
below.</para>
|
||||||
|
|
||||||
<programlisting>$cmd 100 divert natd ip from any to any in via $pif
|
<programlisting>$cmd 100 divert natd ip from any to any in via $pif
|
||||||
$cmd 1000 divert natd ip from any to any out via $pif</programlisting>
|
$cmd 1000 divert natd ip from any to any out via $pif</programlisting>
|
||||||
|
|
@ -2777,7 +2774,8 @@ ks="keep-state" # just too lazy to key this each time
|
||||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
|
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
|
||||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
|
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
|
||||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
|
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
|
||||||
options IPFIREWALL_NAT # enables in-kernel NAT support
|
options IPFIREWALL_NAT # enables basic in-kernel NAT support
|
||||||
|
options LIBALIAS # enables full in-kernel NAT support
|
||||||
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
|
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
|
||||||
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
|
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
|
||||||
options IPFIREWALL_PMOD # enables protocols modification module support
|
options IPFIREWALL_PMOD # enables protocols modification module support
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue