I am having a little trouble understanding how does IPFW handle non-existing interfaces. It seems that firewall rules can happily accept non-existing interface names, however in-kernel NAT does not.
Also, what happens in runtime is not completely clear to me? I guess, these rules are never matched to a packet as long as the interface does not exist, right?
Can someone explain why rules accept non-existing interface names but NAT does not?
Here is an example. I intend to create an OpenVPN connection and a tun0 interface after the firewall was loaded:
Normally I have my firewall and openvpn client enabled as services:
My intention is:
Any suggestions?
For me, the easiest way would be to configure the firewall and then do my magic and connections. However, if this is not possible, I would have to delay the NAT configuration for after creating the VPN connection. Any smarter ways?
Also, what happens in runtime is not completely clear to me? I guess, these rules are never matched to a packet as long as the interface does not exist, right?
Can someone explain why rules accept non-existing interface names but NAT does not?
Here is an example. I intend to create an OpenVPN connection and a tun0 interface after the firewall was loaded:
Bash:
/sbin/ipfw -q nat 1 config if tun0 log reset same_ports unreg_only redirect_port tcp 10.0.21.20:443 9443
ipfw: unknown interface name tun0
/sbin/ipfw -q add 14002 nat 1 tcp from any to me 9443 recv tun0
/sbin/ipfw -q add 14012 nat 1 tcp from 10.0.21.20 443 to any xmit tun0
Normally I have my firewall and openvpn client enabled as services:
Bash:
firewall_enable: YES
firewall_logging: YES
firewall_nat_enable: YES
firewall_script: /usr/local/etc/ipfw/ipfw.rules
openvpn_configfile: /usr/local/etc/openvpn/openvpn.conf
openvpn_dir: /usr/local/etc/openvpn
openvpn_enable: YES
openvpn_if: tun
My intention is:
- On startup, open an SSH connection to a remote server and open a tunnel inside that connection.
- On startup start an OpenVPN client and connect to a remote OpenVPN server through the SSH tunnel above --> this creates a tun0 interface.
- Configure my box to act as a firewall+NAT via the tun0 interface.
Any suggestions?
For me, the easiest way would be to configure the firewall and then do my magic and connections. However, if this is not possible, I would have to delay the NAT configuration for after creating the VPN connection. Any smarter ways?