ipfw with nat and dummynet as modules

[jdratlif]

The handbook and most every tutorial I've seen says you must build a custom kernel to enable ipdivert, which is how natd is used with ipfw.

Is this still the case? There seems to be a libalias module, a dummynet module, an ipfw module, and an ipdivert module.

Must I really compile a custom kernel for ipfw with nat and dummynet, or can I use the GENERIC from FreeBSD 8.1 and load these modules?

I'm going to try it with the modules and see what happens.

In my testing setup, /etc/rc.conf has the following:

firewall_enable="YES"
firewall_type="open"

On startup, I see this message:

ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled

Loading modules gives me no errors:

sudo kldload ipdivert
[jdratlif@xaiver-freebsd ~]$ sudo kldload dummynet
[jdratlif@xaiver-freebsd ~]$ sudo kldstat
Id Refs Address    Size     Name
 1   15 0xc0400000 66e5f4   kernel
 2    3 0xc40f7000 11000    ipfw.ko
 3    1 0xc4108000 d000     libalias.ko
 4    1 0xc4240000 4000     ipdivert.ko
 5    1 0xc4244000 e000     dummynet.ko

Thanks

 

[phoenix]

ipfw.ko loads the main IPFW code.

libalias.ko loads the in-kernel NAT support for IPFW (using ipfw nat keyword, not natd).

ipdivert.ko loads the IPFW divert keyword, needed for natd, but not needed for in-kernel NAT.

dummynet.ko loads the DummyNet support for IPFW.

IOW, if you want NAT and DummyNet support via IPFW, you can load the ipfw, libalias, and dummynet modules. You won't have access to natd, but you won't need it, since IPFW supports NAT internally.

Note: loading the ipfw.ko module will load a default deny rule, so do not do that via an SSH connection, as the connection will be broken.