Ключевые слова:freebsd, nat, firewall, (найти похожие документы)
From: rowland@cis.ohio-state.edu
Subject: [FreeBSD] NAT - Network Address Translation (eng)
Network Address Translation
Network address translation allows you to have a private internal
network that is separate from the Internet, but yet can receive
information from it. Translation allows for you to have many hosts on
an internal network use the Internet via a single gateway connection.
The gateway server generally must have two NIC cards, one connected to
a hub or switch (not using the uplink of the hub), and the other
connected to your Internet connection. In this case a cable modem.
This is how I have setup network address translation on my own FreeBSD
server with a cable modem. For information on how I setup my cable
modem, please refer to this page. Once your cable modem is up and
running, this is what you need to allow other machines on your
internal network to use the same connection.
The first thing that you have to do is assign your client machines an
ip address that is reserved for internal networks. There are different
network classes set aside to choose from. You can use any of the
following addresses:
* 10.0.0.0 --> 10.255.255.255 (1 class A block)
* 172.16.0.0 --> 172.31.255.255 (16 class B blocks)
* 192.168.0.0 --> 192.168.255.255 (256 class C blocks)
I use one class C block since there are only 3 other clients on my
network, but you are free to use whichever you prefer.
In order to use network address translation, you will have to enable
firwalling in the kernel and in /etc/rc.conf. If you setup Road Runner
the way that I describe on this page, you will have to compile
your kernel with firewall support. These are the options that I added
to my kernel configuration file:
# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be
# aware of the legal and administrative consequences of enabling this
# option. The number of devices determines the maximum number of
# simultaneous BPF clients programs runnable.
pseudo-device bpfilter 4 #Berkeley packet filter
# The networking settings for Road Runner.
options IPFIREWALL
options IPFIREWALL_VERBOSE
options "IPFIREWALL_VERBOSE_LIMIT=100"
options IPDIVERT
The first thing to notice is the Berkeley packet filter. This is
needed for the network address translation daemon, or natd. Of the
options that I have specified for the firewall, the only ones that are
needed are IPFIREWALL and IPDIVERT. The others are optional. See the
LINT file in the /usr/src/sys/i386/conf directory or the FreeBSD
handbook for more details. Don't forget to create 4 bpf devices in
/dev with "MAKEDEV bpf0". Repeat for devices bpf1, bpf2, and bpf3.
This gives you a total of 4 bpfilter devices. Actually you only need
one I believe, but I always make 4.
Once the kernel has been compiled, and the bpf devices installed, you
must turn on the firewall and natd in the /etc/rc.conf file. This is
part of my /etc/rc.conf file:
### Basic network options: ###
hostname="myname.my.domain" # Set this!
nisdomainname="NO" # Set to NIS domain if using NIS (or NO).
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="open" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface to use with natd.
natd_flags="-u -m -dynamic" # Additional flags for natd.
tcp_extensions="NO" # Disallow RFC1323 extensions (or YES).
# Note: interface fxp0 is setup in rc.roadrunner
network_interfaces="ed0 lo0" # List of network interfaces (lo0 is loopback).
ifconfig_ed0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
The hostname above is not really relevant. I set my hostname with my
Road Runner login. I configure all interfaces except fxp0, which is my
main NIC connected directly to the cable modem. The ed0 card is the
secondary NIC connected to one of the ports on my 4 port hub. The
other client machines are also connected to this 4 port hub. The
uplink on the hub is not used. I find the natd options above to work
out really well. This should only translate unregistered ip addresses
(internal), try to keep the same ports when altering outgoing packets,
and automatically handle a change of ip address on the main NIC. You
might not have all of these options in your /etc/rc.conf file. They
should be in /etc/defaults/rc.conf. Copy them from there and place
them in /etc/rc.conf. You should only make changes to /etc/rc.conf or
some other local config file and NOT the files in /etc/defaults. I
also set the firewall type to open. This is an easy way to get going.
If you want to setup a firewall that actually does something, you are
on your own. I suggest you read the Firwalls FAQ for information on
what a firewall is and how it works. Since my machine is acting as a
gateway between the two networks, it is necessary to turn on the
gateway feature in /etc/rc.conf as well.
defaultrouter="NO" # Set to default gateway (or NO).
static_routes="" # Set to static route list (or leave empty).
gateway_enable="YES" # Set to YES if this host will be a gateway.
router_enable="NO" # Set to YES to enable a routing daemon.
router="routed" # Name of routing daemon to use if enabled.
router_flags="-q" # Flags for routing daemon.
mrouted_enable="NO" # Do multicast routing (see /etc/mrouted.conf).
mrouted_flags="" # Flags for multicast routing daemon.
ipxgateway_enable="NO" # Set to YES to enable IPX routing.
ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon.
ipxrouted_flags="" # Flags for IPX routing daemon.
arpproxy_all="" # replaces obsolete kernel option ARP_PROXYALL.
forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES")
accept_sourceroute="NO" # accept source routed packets to us
All that is needed is gateway_enable="YES" and the sourceroute options
set to NO (that is a good secure suggestion anyway). This should get
you started. It is helpful to add an entry in /etc/hosts for any
internal hosts, such as:
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/host.conf for the resolution order.
#
#
127.0.0.1 localhost localhost.my.domain myname.my.domain
192.168.1.1 server server.my.domain
192.168.1.2 todd todd.my.domain
192.168.1.3 laptop laptop.my.domain
#
The client machines on your network should be easy to setup. All that
is usually needed is to set their default gateway to the address of
the second NIC on the gateway server. In my case I set all the client
machines to use 192.168.1.1 as the default gateway. Assign the client
machine whichever internal ip address that you wish, and ideally have
added to /etc/hosts and everything should work well. Once the server
is rebooted, an "ipfw list" as root will show your firewall rules:
00100 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
65000 allow ip from any to any
65535 deny ip from any to any
You can add more rules if you wish in /etc/rc.firewall. Check the
FreeBSD handbook for more information about that and other
networking questions.
