freebsd 5.3 natd

Most talaltam egy leirast amely szerint ipfw-vel is meglehet oldani a dolgot, csak bekell forgatni a kernelbe: IPFIREWALL_FORWARD options-t.

Beforgattam, probalom a forwardingot, erre azt irja ki az ipfw, h:
ipfw: bad 'fwd' option

pfff.....Elegem van mara a gatewayekbol. Valakinek vmilyen 5lete?

Lassan mar google-fobiam lesz es handbook undorom... :)))

Koszi dozen

HI LGee!

Talaltam egy leirast a config.hu-n. Netan te irtad?? :) Ipfw -vel nem lehetne megoldani a dolgot? Mert a natd nem naon akar mukodni.... :(

options PFIL_HOOKS tleg ez kell a kernelbe 5.3-tol az ipfw-hez... Hmm errol meg nem is hallottam...

bye dozen

hellotok!

Van egy Freebsd-s gatewayem, ami a natot csinalja. A netmegosztas tokeletesen mukodik is, de a redirect port, nem akar mukodni, pedig fontos lenne, mert a server ami a gateway mogott van elerhetetlen.

Mar google-ztam is handbookban is elolvastam a natot. Meg is probaltam, de nem megy.

ezt irom be:
/sbin/natd -redirect_port tcp 192.168.1.2:80 80 (192.168.1.2 a server)
probaltam -interface-el is ugy sem ment.

Van vkinek vamilyen 5lete?

Elore is koszi a valaszokat: dozen

Hellotok!

Itt van a ppp.conf,natd.conf,tuzfal scriptem, rc.confom:

ppp.conf
default:
set device PPPoE:ed1:invitel
set speed sync
set mru 1492
set mtu 1492
set ctsrts off
enable lqr
add default HISADDR
set timeout 0
set redial 0 0

# NAT
nat enable yes
nat log yes
nat same_port yes
nat unregistered_only yes
enable dns

invitel:
set authname
set authkey

natd.conf:

use_sockets yes
same_ports yes
redirect_port tcp 192.168.1.2:80 80
redirect_port tcp 192.168.1.2:2200 2200
redirect_port tcp 192.168.1.2:6667 6667
redirect_port tcp 192.168.1.2:21 21

tuzfal script:
#!/bin/sh
fwcmd="/sbin/ipfw"
## Global Variables
extif="ed1"
myip="192.168.1.5"
mybcast="192.168.1.255"
mynetwork="192.168.1.0/24"
dns_server="213.163.59.10"

## Reset All Rulez
${fwcmd} -f flush

## Check State
${fwcmd} add 00180 check-state

## Allow all via loopback to loopback
${fwcmd} add 00200 allow all from any to any via lo0

## Deny Connection Attempt To LoopBack Devices NOT Coming from LoopBack Device
${fwcmd} add 00300 deny all from any to 127.0.0.1/8

## Deny Connection Attempt From LoopBack Device NOT To LoopBack Device
${fwcmd} add 00400 deny all from 127.0.0.1/8 to any

## Allow FireWall To Do Anything
${fwcmd} add 00510 pass tcp from ${myip} to any setup keep-state
${fwcmd} add 00520 pass udp from ${myip} to any keep-state
${fwcmd} add 00530 pass icmp from ${myip} to any icmptype 0,8

## Allow Local LAN To Connect Us
${fwcmd} add 00550 allow all from ${mynetwork} to ${mynetwork}

## Explicity open ssh to this box from mynetwork otherwise the authentication
## session becomes slow
${fwcmd} add 00560 allow tcp from ${mynetwork} to ${mynetwork} 22

## Allow ssh in
${fwcmd} add 00610 allow tcp from any to ${myip} 22 keep-state setup

## Allow DNS requests to my ISP DNS server
${fwcmd} add 00700 allow udp from ${dns_server} 53 to any
${fwcmd} add 00710 allow udp from any to ${dns_server} 53

## Allow access to http,https
${fwcmd} add 00820 allow tcp from any to any http
${fwcmd} add 00830 allow tcp from any http to any
${fwcmd} add 00840 allow tcp from any to any https
${fwcmd} add 00850 allow tcp from any https to any

## Allow IRC access
${fwcmd} add 00900 allow tcp from any to any 6667
${fwcmd} add 00910 allow tcp from any 6667 to any

## Allow uptimec access on 2050
${fwcmd} add 00920 allow tcp from any to any 2050
${fwcmd} add 00930 allow tcp from any 2050 to any

## Allow FTP access
${fwcmd} add 00940 allow tcp from any to any 21
${fwcmd} add 00950 allow tcp from any 21 to any

## Allow ICMP access
${fwcmd} add 00960 allow icmp from any to any

## Allow NAT

${fwcmd} add 0970 divert natd all from any to any via tun0
${fwcmd} add 0980 pass all from any to any

${fwcmd} add 0990 fwd 192.168.1.5 from any to 192.168.1.2 80


# -- sysinstall generated deltas -- # Thu Jan 20 08:47:38 2005
# Created: Thu Jan 20 08:47:38 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
default_router="192.168.1.6"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.simple_ipfw"
firewall_type="OPEN"
firewall_quiet="NO"
## ppp conf
ppp_enable="YES"
ppp_profile="invitel"
ppp_nat="YES"
ppp_mode="ddial"
ppp_user="root"
#############
natd_enable="YES"
natd_flags="-f /etc/natd.conf"

hostname="c0re-gateway"
ifconfig_ed1="inet 192.168.1.5 netmask 255.255.255.0"
ifconfig_ed2="inet 192.168.1.6 netmask 255.255.255.224"
inetd_enable="YES"
saver="logo"
usbd_enable="NO"

Remelem tud vki segiteni...mert en eleg tanacstalan vok.

A kernelbe ezek vannak beforgatva:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=50
options TCP_DROP_SYNFIN

Ha kell meg vmi, akkor szolj

Elore is koszi a segitseget: dozen

Hi LGee!

Koszi a segitseget

dozen

De igen ricsip, csak ahhoz ujrakene forgatni a kernelt. Arra meg nincs idom es a gatewaynek is feltetlenul mennie kell...reboot nelkul minden percben.

Meg aztan sztem, ha mar pont erre fejlesztettek ki a natot, akkor elegansabb ezt hasznalni :)

bye dozen

A natd-s portforwardinghoz kell meg vmit beallitani a kernelben?

A bsd how-to szerint: IPFIREWALL & IPDIVERT.

Allandoan azt irja ki, h: natd: instance default: aliasing address not given

pff nemtom mitevo leek...

Valakinek van vmilyen 5lete?

Hetfore mennie kene a szervernek, szal kicsit....

Koszi a segitseget: dozen