| ipfw.8 (233478) | ipfw.8 (233648) |
|---|---|
| 1.\" | 1.\" |
| 2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 233478 2012-03-25 20:37:59Z melifaro $ | 2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 233648 2012-03-29 05:02:12Z eadler $ |
| 3.\" 4.Dd March 9, 2012 5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd User interface for firewall, traffic shaper, packet scheduler, 10in-kernel NAT. --- 544 unchanged lines hidden (view full) --- 555.Cm log 556keyword will be made available for logging in two ways: 557if the sysctl variable 558.Va net.inet.ip.fw.verbose 559is set to 0 (default), one can use 560.Xr bpf 4 561attached to the 562.Li ipfw0 | 3.\" 4.Dd March 9, 2012 5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd User interface for firewall, traffic shaper, packet scheduler, 10in-kernel NAT. --- 544 unchanged lines hidden (view full) --- 555.Cm log 556keyword will be made available for logging in two ways: 557if the sysctl variable 558.Va net.inet.ip.fw.verbose 559is set to 0 (default), one can use 560.Xr bpf 4 561attached to the 562.Li ipfw0 |
| 563pseudo interface. There is no overhead if no | 563pseudo interface. There is no overhead if no |
| 564.Xr bpf 4 565is attached to the pseudo interface. 566.Pp 567If 568.Va net.inet.ip.fw.verbose 569is set to 1, packets will be logged to 570.Xr syslogd 8 571with a --- 231 unchanged lines hidden (view full) --- 803packet is a TCP packet, try to send a TCP reset (RST) notice. 804The search terminates. 805.It Cm skipto Ar number | tablearg 806Skip all subsequent rules numbered less than 807.Ar number . 808The search continues with the first rule numbered 809.Ar number 810or higher. | 564.Xr bpf 4 565is attached to the pseudo interface. 566.Pp 567If 568.Va net.inet.ip.fw.verbose 569is set to 1, packets will be logged to 570.Xr syslogd 8 571with a --- 231 unchanged lines hidden (view full) --- 803packet is a TCP packet, try to send a TCP reset (RST) notice. 804The search terminates. 805.It Cm skipto Ar number | tablearg 806Skip all subsequent rules numbered less than 807.Ar number . 808The search continues with the first rule numbered 809.Ar number 810or higher. |
| 811It is possible to use the | 811It is possible to use the |
| 812.Cm tablearg | 812.Cm tablearg |
| 813keyword with a skipto for a | 813keyword with a skipto for a |
| 814.Em computed 815skipto, but care should be used, as no destination caching 816is possible in this case so the rules are always walked to find it, | 814.Em computed 815skipto, but care should be used, as no destination caching 816is possible in this case so the rules are always walked to find it, |
| 817starting from the | 817starting from the |
| 818.Cm skipto . 819.It Cm call Ar number | tablearg 820The current rule number is saved in the internal stack and 821ruleset processing continues with the first rule numbered 822.Ar number 823or higher. 824If later a rule with the 825.Cm return --- 112 unchanged lines hidden (view full) --- 938actions. 939.It Cm setfib Ar fibnum | tablearg 940The packet is tagged so as to use the FIB (routing table) 941.Ar fibnum 942in any subsequent forwarding decisions. 943Initially this is limited to the values 0 through 15, see 944.Xr setfib 1 . 945Processing continues at the next rule. | 818.Cm skipto . 819.It Cm call Ar number | tablearg 820The current rule number is saved in the internal stack and 821ruleset processing continues with the first rule numbered 822.Ar number 823or higher. 824If later a rule with the 825.Cm return --- 112 unchanged lines hidden (view full) --- 938actions. 939.It Cm setfib Ar fibnum | tablearg 940The packet is tagged so as to use the FIB (routing table) 941.Ar fibnum 942in any subsequent forwarding decisions. 943Initially this is limited to the values 0 through 15, see 944.Xr setfib 1 . 945Processing continues at the next rule. |
| 946It is possible to use the | 946It is possible to use the |
| 947.Cm tablearg 948keyword with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. 949.It Cm reass 950Queue and reassemble ip fragments. 951If the packet is not fragmented, counters are updated and processing continues with the next rule. 952If the packet is the last logical fragment, the packet is reassembled and, if 953.Va net.inet.ip.fw.one_pass 954is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. --- 4 unchanged lines hidden (view full) --- 959and 960.Va net.inet.ip.maxfragsperpacket 961which limit, respectively, the maximum number of processable fragments (default: 800) and 962the maximum number of fragments per packet (default: 16). 963.Pp 964NOTA BENE: since fragments do not contain port numbers, they should be avoided with the 965.Nm reass 966rule. | 947.Cm tablearg 948keyword with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. 949.It Cm reass 950Queue and reassemble ip fragments. 951If the packet is not fragmented, counters are updated and processing continues with the next rule. 952If the packet is the last logical fragment, the packet is reassembled and, if 953.Va net.inet.ip.fw.one_pass 954is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. --- 4 unchanged lines hidden (view full) --- 959and 960.Va net.inet.ip.maxfragsperpacket 961which limit, respectively, the maximum number of processable fragments (default: 800) and 962the maximum number of fragments per packet (default: 16). 963.Pp 964NOTA BENE: since fragments do not contain port numbers, they should be avoided with the 965.Nm reass 966rule. |
| 967Alternatively, direction-based (like | 967Alternatively, direction-based (like |
| 968.Nm in 969/ 970.Nm out 971) and source-based (like 972.Nm via 973) match patterns can be used to select fragments. 974.Pp 975Usually a simple rule like: --- 818 unchanged lines hidden (view full) --- 1794See the 1795.Sx EXAMPLES 1796Section for example usage of tables and the tablearg keyword. 1797.Pp 1798When used with the 1799.Cm skipto 1800action, the user should be aware that the code will walk the ruleset 1801up to a rule equal to, or past, the given number, and should therefore try keep the | 968.Nm in 969/ 970.Nm out 971) and source-based (like 972.Nm via 973) match patterns can be used to select fragments. 974.Pp 975Usually a simple rule like: --- 818 unchanged lines hidden (view full) --- 1794See the 1795.Sx EXAMPLES 1796Section for example usage of tables and the tablearg keyword. 1797.Pp 1798When used with the 1799.Cm skipto 1800action, the user should be aware that the code will walk the ruleset 1801up to a rule equal to, or past, the given number, and should therefore try keep the |
| 1802ruleset compact between the skipto and the target rules. | 1802ruleset compact between the skipto and the target rules. |
| 1803.Sh SETS OF RULES 1804Each rule belongs to one of 32 different 1805.Em sets 1806, numbered 0 to 31. 1807Set 31 is reserved for the default rule. 1808.Pp 1809By default, rules are put in set 0, unless you use the 1810.Cm set N --- 655 unchanged lines hidden (view full) --- 2466.Sh NETWORK ADDRESS TRANSLATION (NAT) 2467.Nm 2468support in-kernel NAT using the kernel version of 2469.Xr libalias 3 . 2470.Pp 2471The nat configuration command is the following: 2472.Bd -ragged -offset indent 2473.Bk -words | 1803.Sh SETS OF RULES 1804Each rule belongs to one of 32 different 1805.Em sets 1806, numbered 0 to 31. 1807Set 31 is reserved for the default rule. 1808.Pp 1809By default, rules are put in set 0, unless you use the 1810.Cm set N --- 655 unchanged lines hidden (view full) --- 2466.Sh NETWORK ADDRESS TRANSLATION (NAT) 2467.Nm 2468support in-kernel NAT using the kernel version of 2469.Xr libalias 3 . 2470.Pp 2471The nat configuration command is the following: 2472.Bd -ragged -offset indent 2473.Bk -words |
| 2474.Cm nat 2475.Ar nat_number 2476.Cm config | 2474.Cm nat 2475.Ar nat_number 2476.Cm config |
| 2477.Ar nat-configuration 2478.Ek 2479.Ed 2480.Pp 2481The following parameters can be configured: 2482.Bl -tag -width indent 2483.It Cm ip Ar ip_address 2484Define an ip address to use for aliasing. --- 35 unchanged lines hidden (view full) --- 2520for more information. 2521.It Cm tablearg 2522Uses argument supplied in lookup table. See 2523.Sx LOOKUP TABLES 2524section below for more information on lookup tables. 2525.El 2526.Pp 2527To let the packet continue after being (de)aliased, set the sysctl variable | 2477.Ar nat-configuration 2478.Ek 2479.Ed 2480.Pp 2481The following parameters can be configured: 2482.Bl -tag -width indent 2483.It Cm ip Ar ip_address 2484Define an ip address to use for aliasing. --- 35 unchanged lines hidden (view full) --- 2520for more information. 2521.It Cm tablearg 2522Uses argument supplied in lookup table. See 2523.Sx LOOKUP TABLES 2524section below for more information on lookup tables. 2525.El 2526.Pp 2527To let the packet continue after being (de)aliased, set the sysctl variable |
| 2528.Va net.inet.ip.fw.one_pass | 2528.Va net.inet.ip.fw.one_pass |
| 2529to 0. 2530For more information about aliasing modes, refer to 2531.Xr libalias 3 . 2532See Section 2533.Sx EXAMPLES 2534for some examples about nat usage. 2535.Ss REDIRECT AND LSNAT SUPPORT IN IPFW 2536Redirect and LSNAT support follow closely the syntax used in | 2529to 0. 2530For more information about aliasing modes, refer to 2531.Xr libalias 3 . 2532See Section 2533.Sx EXAMPLES 2534for some examples about nat usage. 2535.Ss REDIRECT AND LSNAT SUPPORT IN IPFW 2536Redirect and LSNAT support follow closely the syntax used in |
| 2537.Xr natd 8 . | 2537.Xr natd 8 . |
| 2538See Section 2539.Sx EXAMPLES 2540for some examples on how to do redirect and lsnat. 2541.Ss SCTP NAT SUPPORT 2542SCTP nat can be configured in a similar manner to TCP through the 2543.Nm 2544command line tool. | 2538See Section 2539.Sx EXAMPLES 2540for some examples on how to do redirect and lsnat. 2541.Ss SCTP NAT SUPPORT 2542SCTP nat can be configured in a similar manner to TCP through the 2543.Nm 2544command line tool. |
| 2545The main difference is that 2546.Nm sctp nat | 2545The main difference is that 2546.Nm sctp nat |
| 2547does not do port translation. 2548Since the local and global side ports will be the same, 2549there is no need to specify both. 2550Ports are redirected as follows: 2551.Bd -ragged -offset indent 2552.Bk -words | 2547does not do port translation. 2548Since the local and global side ports will be the same, 2549there is no need to specify both. 2550Ports are redirected as follows: 2551.Bd -ragged -offset indent 2552.Bk -words |
| 2553.Cm nat 2554.Ar nat_number | 2553.Cm nat 2554.Ar nat_number |
| 2555.Cm config if 2556.Ar nic 2557.Cm redirect_port sctp 2558.Ar ip_address [,addr_list] {[port | port-port] [,ports]} 2559.Ek 2560.Ed 2561.Pp 2562Most 2563.Nm sctp nat 2564configuration can be done in real-time through the 2565.Xr sysctl 8 2566interface. 2567All may be changed dynamically, though the hash_table size will only 2568change for new 2569.Nm nat 2570instances. 2571See | 2555.Cm config if 2556.Ar nic 2557.Cm redirect_port sctp 2558.Ar ip_address [,addr_list] {[port | port-port] [,ports]} 2559.Ek 2560.Ed 2561.Pp 2562Most 2563.Nm sctp nat 2564configuration can be done in real-time through the 2565.Xr sysctl 8 2566interface. 2567All may be changed dynamically, though the hash_table size will only 2568change for new 2569.Nm nat 2570instances. 2571See |
| 2572.Sx SYSCTL VARIABLES | 2572.Sx SYSCTL VARIABLES |
| 2573for more info. | 2573for more info. |
| 2574.Sh LOADER TUNABLES | 2574.Sh LOADER TUNABLES |
| 2575Tunables can be set in 2576.Xr loader 8 2577prompt, 2578.Xr loader.conf 5 2579or 2580.Xr kenv 1 2581before ipfw module gets loaded. 2582.Bl -tag -width indent --- 11 unchanged lines hidden (view full) --- 2594associated modules 2595.Pq Nm dummynet , bridge , sctp nat . 2596These are shown below together with their default value 2597(but always check with the 2598.Xr sysctl 8 2599command what value is actually in use) and meaning: 2600.Bl -tag -width indent 2601.It Va net.inet.ip.alias.sctp.accept_global_ootb_addip: No 0 | 2575Tunables can be set in 2576.Xr loader 8 2577prompt, 2578.Xr loader.conf 5 2579or 2580.Xr kenv 1 2581before ipfw module gets loaded. 2582.Bl -tag -width indent --- 11 unchanged lines hidden (view full) --- 2594associated modules 2595.Pq Nm dummynet , bridge , sctp nat . 2596These are shown below together with their default value 2597(but always check with the 2598.Xr sysctl 8 2599command what value is actually in use) and meaning: 2600.Bl -tag -width indent 2601.It Va net.inet.ip.alias.sctp.accept_global_ootb_addip: No 0 |
| 2602Defines how the 2603.Nm nat | 2602Defines how the 2603.Nm nat |
| 2604responds to receipt of global OOTB ASCONF-AddIP: 2605.Bl -tag -width indent 2606.It Cm 0 2607No response (unless a partially matching association exists - 2608ports and vtags match but global address does not) 2609.It Cm 1 | 2604responds to receipt of global OOTB ASCONF-AddIP: 2605.Bl -tag -width indent 2606.It Cm 0 2607No response (unless a partially matching association exists - 2608ports and vtags match but global address does not) 2609.It Cm 1 |
| 2610.Nm nat | 2610.Nm nat |
| 2611will accept and process all OOTB global AddIP messages. 2612.El 2613.Pp 2614Option 1 should never be selected as this forms a security risk. 2615An attacker can 2616establish multiple fake associations by sending AddIP messages. 2617.It Va net.inet.ip.alias.sctp.chunk_proc_limit: No 5 2618Defines the maximum number of chunks in an SCTP packet that will be parsed for a 2619packet that matches an existing association. | 2611will accept and process all OOTB global AddIP messages. 2612.El 2613.Pp 2614Option 1 should never be selected as this forms a security risk. 2615An attacker can 2616establish multiple fake associations by sending AddIP messages. 2617.It Va net.inet.ip.alias.sctp.chunk_proc_limit: No 5 2618Defines the maximum number of chunks in an SCTP packet that will be parsed for a 2619packet that matches an existing association. |
| 2620This value is enforced to be greater or equal than 2621.Cm net.inet.ip.alias.sctp.initialising_chunk_proc_limit . | 2620This value is enforced to be greater or equal than 2621.Cm net.inet.ip.alias.sctp.initialising_chunk_proc_limit . |
| 2622A high value is 2623a DoS risk yet setting too low a value may result in important control chunks in 2624the packet not being located and parsed. 2625.It Va net.inet.ip.alias.sctp.error_on_ootb: No 1 2626Defines when the | 2622A high value is 2623a DoS risk yet setting too low a value may result in important control chunks in 2624the packet not being located and parsed. 2625.It Va net.inet.ip.alias.sctp.error_on_ootb: No 1 2626Defines when the |
| 2627.Nm nat | 2627.Nm nat |
| 2628responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets. 2629An OOTB packet is a packet that arrives with no existing association 2630registered in the | 2628responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets. 2629An OOTB packet is a packet that arrives with no existing association 2630registered in the |
| 2631.Nm nat | 2631.Nm nat |
| 2632and is not an INIT or ASCONF-AddIP packet: 2633.Bl -tag -width indent 2634.It Cm 0 2635ErrorM is never sent in response to OOTB packets. 2636.It Cm 1 2637ErrorM is only sent to OOTB packets received on the local side. 2638.It Cm 2 2639ErrorM is sent to the local side and on the global side ONLY if there is a 2640partial match (ports and vtags match but the source global IP does not). | 2632and is not an INIT or ASCONF-AddIP packet: 2633.Bl -tag -width indent 2634.It Cm 0 2635ErrorM is never sent in response to OOTB packets. 2636.It Cm 1 2637ErrorM is only sent to OOTB packets received on the local side. 2638.It Cm 2 2639ErrorM is sent to the local side and on the global side ONLY if there is a 2640partial match (ports and vtags match but the source global IP does not). |
| 2641This value is only useful if the 2642.Nm nat | 2641This value is only useful if the 2642.Nm nat |
| 2643is tracking global IP addresses. 2644.It Cm 3 2645ErrorM is sent in response to all OOTB packets on both the local and global side 2646(DoS risk). 2647.El 2648.Pp 2649At the moment the default is 0, since the ErrorM packet is not yet 2650supported by most SCTP stacks. 2651When it is supported, and if not tracking 2652global addresses, we recommend setting this value to 1 to allow | 2643is tracking global IP addresses. 2644.It Cm 3 2645ErrorM is sent in response to all OOTB packets on both the local and global side 2646(DoS risk). 2647.El 2648.Pp 2649At the moment the default is 0, since the ErrorM packet is not yet 2650supported by most SCTP stacks. 2651When it is supported, and if not tracking 2652global addresses, we recommend setting this value to 1 to allow |
| 2653multi-homed local hosts to function with the | 2653multi-homed local hosts to function with the |
| 2654.Nm nat . 2655To track global addresses, we recommend setting this value to 2 to 2656allow global hosts to be informed when they need to (re)send an 2657ASCONF-AddIP. 2658Value 3 should never be chosen (except for debugging) as the | 2654.Nm nat . 2655To track global addresses, we recommend setting this value to 2 to 2656allow global hosts to be informed when they need to (re)send an 2657ASCONF-AddIP. 2658Value 3 should never be chosen (except for debugging) as the |
| 2659.Nm nat | 2659.Nm nat |
| 2660will respond to all OOTB global packets (a DoS risk). 2661.It Va net.inet.ip.alias.sctp.hashtable_size: No 2003 | 2660will respond to all OOTB global packets (a DoS risk). 2661.It Va net.inet.ip.alias.sctp.hashtable_size: No 2003 |
| 2662Size of hash tables used for 2663.Nm nat | 2662Size of hash tables used for 2663.Nm nat |
| 2664lookups (100 < prime_number > 1000001). | 2664lookups (100 < prime_number > 1000001). |
| 2665This value sets the 2666.Nm hash table 2667size for any future created | 2665This value sets the 2666.Nm hash table 2667size for any future created |
| 2668.Nm nat | 2668.Nm nat |
| 2669instance and therefore must be set prior to creating a 2670.Nm nat | 2669instance and therefore must be set prior to creating a 2670.Nm nat |
| 2671instance. 2672The table sizes may be changed to suit specific needs. 2673If there will be few 2674concurrent associations, and memory is scarce, you may make these smaller. 2675If there will be many thousands (or millions) of concurrent associations, you 2676should make these larger. 2677A prime number is best for the table size. 2678The sysctl --- 12 unchanged lines hidden (view full) --- 2691Ideally this packet 2692will only be an INIT or ASCONF-AddIP packet. 2693A higher value may become a DoS 2694risk as malformed packets can consume processing resources. 2695.It Va net.inet.ip.alias.sctp.param_proc_limit: No 25 2696Defines the maximum number of parameters within a chunk that will be parsed in a 2697packet. 2698As for other similar sysctl variables, larger values pose a DoS risk. | 2671instance. 2672The table sizes may be changed to suit specific needs. 2673If there will be few 2674concurrent associations, and memory is scarce, you may make these smaller. 2675If there will be many thousands (or millions) of concurrent associations, you 2676should make these larger. 2677A prime number is best for the table size. 2678The sysctl --- 12 unchanged lines hidden (view full) --- 2691Ideally this packet 2692will only be an INIT or ASCONF-AddIP packet. 2693A higher value may become a DoS 2694risk as malformed packets can consume processing resources. 2695.It Va net.inet.ip.alias.sctp.param_proc_limit: No 25 2696Defines the maximum number of parameters within a chunk that will be parsed in a 2697packet. 2698As for other similar sysctl variables, larger values pose a DoS risk. |
| 2699.It Va net.inet.ip.alias.sctp.log_level: No 0 | 2699.It Va net.inet.ip.alias.sctp.log_level: No 0 |
| 2700Level of detail in the system log messages (0 \- minimal, 1 \- event, 27012 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). May be a good 2702option in high loss environments. 2703.It Va net.inet.ip.alias.sctp.shutdown_time: No 15 2704Timeout value while waiting for SHUTDOWN-COMPLETE. 2705This value cannot be 0. 2706.It Va net.inet.ip.alias.sctp.track_global_addresses: No 0 | 2700Level of detail in the system log messages (0 \- minimal, 1 \- event, 27012 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). May be a good 2702option in high loss environments. 2703.It Va net.inet.ip.alias.sctp.shutdown_time: No 15 2704Timeout value while waiting for SHUTDOWN-COMPLETE. 2705This value cannot be 0. 2706.It Va net.inet.ip.alias.sctp.track_global_addresses: No 0 |
| 2707Enables/disables global IP address tracking within the 2708.Nm nat | 2707Enables/disables global IP address tracking within the 2708.Nm nat |
| 2709and places an 2710upper limit on the number of addresses tracked for each association: 2711.Bl -tag -width indent 2712.It Cm 0 2713Global tracking is disabled 2714.It Cm >1 2715Enables tracking, the maximum number of addresses tracked for each 2716association is limited to this value 2717.El 2718.Pp 2719This variable is fully dynamic, the new value will be adopted for all newly 2720arriving associations, existing associations are treated as they were previously. | 2709and places an 2710upper limit on the number of addresses tracked for each association: 2711.Bl -tag -width indent 2712.It Cm 0 2713Global tracking is disabled 2714.It Cm >1 2715Enables tracking, the maximum number of addresses tracked for each 2716association is limited to this value 2717.El 2718.Pp 2719This variable is fully dynamic, the new value will be adopted for all newly 2720arriving associations, existing associations are treated as they were previously. |
| 2721Global tracking will decrease the number of collisions within the 2722.Nm nat | 2721Global tracking will decrease the number of collisions within the 2722.Nm nat |
| 2723at a cost | 2723at a cost |
| 2724of increased processing load, memory usage, complexity, and possible 2725.Nm nat | 2724of increased processing load, memory usage, complexity, and possible 2725.Nm nat |
| 2726state | 2726state |
| 2727problems in complex networks with multiple 2728.Nm nats . | 2727problems in complex networks with multiple 2728.Nm nats . |
| 2729We recommend not tracking | 2729We recommend not tracking |
| 2730global IP addresses, this will still result in a fully functional | 2730global IP addresses, this will still result in a fully functional |
| 2731.Nm nat . 2732.It Va net.inet.ip.alias.sctp.up_timer: No 300 2733Timeout value to keep an association up with no traffic. 2734This value cannot be 0. 2735.It Va net.inet.ip.dummynet.expire : No 1 2736Lazily delete dynamic pipes/queue once they have no pending traffic. 2737You can disable this by setting the variable to 0, in which case 2738the pipes/queues will only be deleted when the threshold is reached. --- 429 unchanged lines hidden (view full) --- 3168.Dl "ipfw set 18 delete NN" 3169.Ss NAT, REDIRECT AND LSNAT 3170First redirect all the traffic to nat instance 123: 3171.Pp 3172.Dl "ipfw add nat 123 all from any to any" 3173.Pp 3174Then to configure nat instance 123 to alias all the outgoing traffic with ip 3175192.168.0.123, blocking all incoming connections, trying to keep | 2731.Nm nat . 2732.It Va net.inet.ip.alias.sctp.up_timer: No 300 2733Timeout value to keep an association up with no traffic. 2734This value cannot be 0. 2735.It Va net.inet.ip.dummynet.expire : No 1 2736Lazily delete dynamic pipes/queue once they have no pending traffic. 2737You can disable this by setting the variable to 0, in which case 2738the pipes/queues will only be deleted when the threshold is reached. --- 429 unchanged lines hidden (view full) --- 3168.Dl "ipfw set 18 delete NN" 3169.Ss NAT, REDIRECT AND LSNAT 3170First redirect all the traffic to nat instance 123: 3171.Pp 3172.Dl "ipfw add nat 123 all from any to any" 3173.Pp 3174Then to configure nat instance 123 to alias all the outgoing traffic with ip 3175192.168.0.123, blocking all incoming connections, trying to keep |
| 3176same ports on both sides, clearing aliasing table on address change | 3176same ports on both sides, clearing aliasing table on address change |
| 3177and keeping a log of traffic/link statistics: 3178.Pp 3179.Dl "ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports" 3180.Pp 3181Or to change address of instance 123, aliasing table will be cleared (see 3182reset option): 3183.Pp 3184.Dl "ipfw nat 123 config ip 10.0.0.1" --- 12 unchanged lines hidden (view full) --- 3197.Pp 3198Or a redirect rule with mixed modes could looks like: 3199.Pp 3200.Dl "ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66" 3201.Dl " redirect_port tcp 192.168.0.1:80 500" 3202.Dl " redirect_proto udp 192.168.1.43 192.168.1.1" 3203.Dl " redirect_addr 192.168.0.10,192.168.0.11" 3204.Dl " 10.0.0.100 # LSNAT" | 3177and keeping a log of traffic/link statistics: 3178.Pp 3179.Dl "ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports" 3180.Pp 3181Or to change address of instance 123, aliasing table will be cleared (see 3182reset option): 3183.Pp 3184.Dl "ipfw nat 123 config ip 10.0.0.1" --- 12 unchanged lines hidden (view full) --- 3197.Pp 3198Or a redirect rule with mixed modes could looks like: 3199.Pp 3200.Dl "ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66" 3201.Dl " redirect_port tcp 192.168.0.1:80 500" 3202.Dl " redirect_proto udp 192.168.1.43 192.168.1.1" 3203.Dl " redirect_addr 192.168.0.10,192.168.0.11" 3204.Dl " 10.0.0.100 # LSNAT" |
| 3205.Dl " redirect_port tcp 192.168.0.1:80,192.168.0.10:22" | 3205.Dl " redirect_port tcp 192.168.0.1:80,192.168.0.10:22" |
| 3206.Dl " 500 # LSNAT" 3207.Pp 3208or it could be split in: 3209.Pp 3210.Dl "ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66" 3211.Dl "ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500" 3212.Dl "ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1" | 3206.Dl " 500 # LSNAT" 3207.Pp 3208or it could be split in: 3209.Pp 3210.Dl "ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66" 3211.Dl "ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500" 3212.Dl "ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1" |
| 3213.Dl "ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12" | 3213.Dl "ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12" |
| 3214.Dl " 10.0.0.100" 3215.Dl "ipfw nat 5 config redirect_port tcp" 3216.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" 3217.Sh SEE ALSO 3218.Xr cpp 1 , 3219.Xr m4 1 , 3220.Xr altq 4 , 3221.Xr divert 4 , --- 103 unchanged lines hidden (view full) --- 3325be as expected if the associated process calls 3326.Xr setuid 2 3327or similar system calls. 3328.Pp 3329Rule syntax is subject to the command line environment and some patterns 3330may need to be escaped with the backslash character 3331or quoted appropriately. 3332.Pp | 3214.Dl " 10.0.0.100" 3215.Dl "ipfw nat 5 config redirect_port tcp" 3216.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" 3217.Sh SEE ALSO 3218.Xr cpp 1 , 3219.Xr m4 1 , 3220.Xr altq 4 , 3221.Xr divert 4 , --- 103 unchanged lines hidden (view full) --- 3325be as expected if the associated process calls 3326.Xr setuid 2 3327or similar system calls. 3328.Pp 3329Rule syntax is subject to the command line environment and some patterns 3330may need to be escaped with the backslash character 3331or quoted appropriately. 3332.Pp |
| 3333Due to the architecture of 3334.Xr libalias 3 , | 3333Due to the architecture of 3334.Xr libalias 3 , |
| 3335ipfw nat is not compatible with the TCP segmentation offloading (TSO). 3336Thus, to reliably nat your network traffic, please disable TSO 3337on your NICs using 3338.Xr ifconfig 8 . 3339.Pp 3340ICMP error messages are not implicitly matched by dynamic rules 3341for the respective conversations. 3342To avoid failures of network error detection and path MTU discovery, --- 17 unchanged lines hidden --- | 3335ipfw nat is not compatible with the TCP segmentation offloading (TSO). 3336Thus, to reliably nat your network traffic, please disable TSO 3337on your NICs using 3338.Xr ifconfig 8 . 3339.Pp 3340ICMP error messages are not implicitly matched by dynamic rules 3341for the respective conversations. 3342To avoid failures of network error detection and path MTU discovery, --- 17 unchanged lines hidden --- |