At 01:46 AM 8/15/2005, Tim Holmes wrote:
For years I've used a FreeBSD as my gateway. Well I haven't had a high
speed connection for 3 years now, and I've just gotten it back. Since
then I've reloaded the machine from 4.3 to 5.3. I thought I had it all
set up so when I did get connection, I could make a quick edit to my
rc.conf and I'd be ready to go. Well turns out I was way off.
The machine has no problems geting an IP from the cable modem, and I can
get anywhere I want from that machine directly. (I'm currently ssh'd to
the router machine to send email, use w3m to find How-Tos) But it won't
pass traffic from the rest of the network.
Here are the settings in my rc.conf:
gateway_enable="YES" # Enable as Lan gateway
# firewall_enable="YES"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"
ipmon_enable="YES"
ipmon_flags="-Ds"
The firewall_enable is disable now because when it's turned on, I can't
actually get out from directly on the machine. At this point I just want
it to do the routing and then I can work on building a firewall afterwards.
If you use options IPFIREWALL_DEFAULT_TO_ACCEPT that will allow you to get
the other things working, and you can figure out your firewall rules once
everything else works.
Before I did the update and rebuilt the kernel yesterday, I had these options
in rc.conf
# ipnat_enable="YES" # Start ipnat function
# ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
# ipfilter_enable="YES" # Start ipf firewall
# ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
Well all these other How-Tos I found on FreeBSDDiary.org told me all I needed
was "gateway_enable=YES" and "firewall_enable=YES". Also to add these two
options to the kernel:
options IPFILTER
options IPDIVERT
To use ipfw adding these options to your kernel is a good place to start:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
If you're using natd, you'll also want:
options IPDIVERT
If you want to use ipnat (ipfilter) you'll want:
options IPFILTER
But that wasn't working. Another mentioned I needed
defaultrouter="192.168.2.254",
but that's not doing it either. It wasn't actually running nat, and I'd
get errors
if I tried to start. Here's the message I saw at boot after a new kernel.
The default router for the FreeBSD machine should be supplied by the dhcp
server that give you your IP address.
Also, you will need to use NAT since the cable modem probably only gives
you a single IP.
1: unexpected keyword (any) - from
/sbin/ipf: /etc/ipf.rules: parse error (-1), quitting
/etc/rc: WARNING: NO IPNAT RULES
After following some other How-Tos I tried running ipfw, but I keep
getting an error
message that won't return any helpful searches from Google.
# ipnat -f /etc/ipnat.conf
ioctl(SIOCGNATS): Operation not permitted
# ipfw -f flush
ipfw: setsockopt(IP_FW_FLUSH): Protocol not available
# ipf -FA -f /etc/ipf.rules
ioctl(SIOCIPFFL): Operation not permitted
# ipfw add divert natd all from any to any via xl0
ipfw: getsockopt(IP_FW_ADD): Protocol not available
The errors suggest that ipfw isn't in your kernel, and likely is not loaded
from a module. Is kldstat doesn't show it loaded, and you don't have
OPTIONS IPFIREWALL in your kernel, that will cause errors like those.
If you'd like some sample configs, contact me off list and I'll send you
copies of some that I typically use as a starting point.
-Glenn
None of those error messages will give me anything to go. So I'm at a
lose here. Can
anybody point me to How-To, or share their rc.conf edits to make this work?
I know this was a little long, but thanks in advance for the help.
tdh
--
----------------+-------------------------------------------------
\./ | Tim Holmes -- [EMAIL PROTECTED]: [EMAIL PROTECTED]
(0Y0) | UIN: 17021091 -- AIM: tdh004
-ooO--(_)--Ooo--+-------------------------------------------------
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
