Finish editorial pass through IPF NAT.
Comment out symbolic substitution section for now. It is confusing as written and may no longer be needed with IPF's new syntax. Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
9eae51d07c
commit
5bb694d459
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44051
1 changed files with 25 additions and 34 deletions
|
|
@ -2334,20 +2334,17 @@ map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
|
|||
This eliminates the need to open large ranges of high order
|
||||
ports for <acronym>FTP</acronym> connections.</para>
|
||||
|
||||
<para>This rule will handle all the traffic for the internal
|
||||
LAN:</para>
|
||||
<para>In this example, the first rule calls the proxy for
|
||||
outbound <acronym>FTP</acronym> traffic from the internal
|
||||
<acronym>LAN</acronym>. The second rule passes the
|
||||
<acronym>FTP</acronym> traffic from the firewall to the
|
||||
Internet, and the third rule handles all
|
||||
non-<acronym>FTP</acronym> traffic from the internal
|
||||
<acronym>LAN</acronym>:</para>
|
||||
|
||||
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
|
||||
|
||||
<para>This rule handles the <acronym>FTP</acronym> traffic from
|
||||
the gateway:</para>
|
||||
|
||||
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
|
||||
|
||||
<para>This rule handles all non-<acronym>FTP</acronym> traffic
|
||||
from the internal LAN:</para>
|
||||
|
||||
<programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
|
||||
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp
|
||||
map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
|
||||
map dc0 10.0.10.0/29 -> 0/32</programlisting>
|
||||
|
||||
<para>The <acronym>FTP</acronym> <literal>map</literal> rules go
|
||||
before the <acronym>NAT</acronym> rule so that when a packet
|
||||
|
|
@ -2359,12 +2356,9 @@ map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
|
|||
<acronym>FTP</acronym> rules but will undergo
|
||||
<acronym>NAT</acronym> if they match the third rule.</para>
|
||||
|
||||
<para>Only one filter rule is needed for <acronym>FTP</acronym>
|
||||
if the <acronym>NAT</acronym> <acronym>FTP</acronym> proxy is
|
||||
used.</para>
|
||||
|
||||
<para>Without the <acronym>FTP</acronym> proxy, the following
|
||||
three rules will be needed:</para>
|
||||
firewall rules would instead be needed. Note that without the proxy,
|
||||
all ports above <literal>1024</literal> need to be allowed:</para>
|
||||
|
||||
<programlisting># Allow out LAN PC client FTP to public Internet
|
||||
# Active and passive modes
|
||||
|
|
@ -2376,35 +2370,32 @@ pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep stat
|
|||
# Active mode let data channel in from FTP server
|
||||
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
|
||||
|
||||
<para>When the file containing the <acronym>NAT</acronym> rules
|
||||
is edited after <acronym>NAT</acronym> has been started, run
|
||||
<para>Whenever the file containing the <acronym>NAT</acronym> rules
|
||||
is edited, run
|
||||
<command>ipnat</command> with <option>-CF</option> to delete
|
||||
the internal in use <acronym>NAT</acronym> rules and flush the
|
||||
contents of the translation table of all active
|
||||
entries.</para>
|
||||
the current <acronym>NAT</acronym> rules and flush the
|
||||
contents of the dynamic translation table. Include
|
||||
<option>-f</option> and specify the name
|
||||
of the <acronym>NAT</acronym> ruleset to load:</para>
|
||||
|
||||
<para>To reload the <acronym>NAT</acronym> rules, issue a
|
||||
command like this:</para>
|
||||
<screen>&prompt.root; <userinput>ipnat -CF -f /etc/ipnat.rules</userinput></screen>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipnat -CF -f
|
||||
/etc/ipnat.rules</userinput></screen>
|
||||
|
||||
<para>To display some <acronym>NAT</acronym> statistics, use
|
||||
this command:</para>
|
||||
<para>To display the <acronym>NAT</acronym> statistics:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
|
||||
|
||||
<para>To list the <acronym>NAT</acronym> table's current
|
||||
mappings, use this command:</para>
|
||||
mappings:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
|
||||
|
||||
<para>To turn verbose mode on and display information relating
|
||||
to rule processing and active rules/table entries:</para>
|
||||
to rule processing and active rules and table entries:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
|
||||
</sect2>
|
||||
|
||||
<!--
|
||||
This section is confusing and may no longer be needed with new syntax.
|
||||
<sect2 xml:id="firewalls-ipf-rules-script">
|
||||
<title>Building the Rule Script with Symbolic
|
||||
Substitution</title>
|
||||
|
|
@ -2515,7 +2506,7 @@ sh /etc/ipf.rules.script</programlisting>
|
|||
<para>Now, when the system boots, the IPF rules will be
|
||||
loaded.</para>
|
||||
</sect2>
|
||||
|
||||
-->
|
||||
<sect2>
|
||||
<title>IPFSTAT</title>
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue