Hi
I have a FreeBSD box with 4 interfaces. I need on 2 interfaces NAT. So I added the following config to the /etc/rc.conf
The /etc/natd_public.conf contains:
The /etc/natd_mvc.conf contains:
I created a copy of the /etc/rc.d/natd and called it /etc/rc.d/natd2. I adjusted everything, so it works. But it doesn't start at boot time. I have to start it manually. I tried to move the script from /etc/rc.d/natd2 to /usr/local/etc/rc.d/natd2. But it doesn't start at boot time. But after the boot I can start it without any issue.
What do I have to do, that the second instance of natd starts at boot time?
My second question is: Does that ipfw config work?
/etc/ipfw.rules
So all traffic going out through the em0 interface should be NATed to the em0 IP address and all traffic going out through the em3 interface should be NATed to the em3 IP address.
I added the natd2 service to the /etc/services file:
Thanks for your help.
Cheers Daniel
I have a FreeBSD box with 4 interfaces. I need on 2 interfaces NAT. So I added the following config to the /etc/rc.conf
Code:
gateway_enable="YES"
router_enable="YES"
natd_enable="YES"
natd_flags="-f /etc/natd_public.conf"
natd2_enable="YES"
natd2_flags="-f /etc/natd_mvc.conf"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
The /etc/natd_public.conf contains:
Code:
port 8668
interface em0
same_ports yes
dynamic yes
The /etc/natd_mvc.conf contains:
Code:
port 8669
interface em3
same_ports yes
dynamic yes
I created a copy of the /etc/rc.d/natd and called it /etc/rc.d/natd2. I adjusted everything, so it works. But it doesn't start at boot time. I have to start it manually. I tried to move the script from /etc/rc.d/natd2 to /usr/local/etc/rc.d/natd2. But it doesn't start at boot time. But after the boot I can start it without any issue.
What do I have to do, that the second instance of natd starts at boot time?
My second question is: Does that ipfw config work?
/etc/ipfw.rules
Code:
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 900"
sk="setup keep-state"
ks="keep-state"
# Interfaces
pub="em0"
lan="em1"
ipl="em2"
mvc="em3"
....
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 0010 allow all from any to any via lo0
...
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 0014 divert natd ip from any to any in via $pub
$cmd 0015 divert natd2 ip from any to any in via $mvc
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 0016 check-state
...
# Allow ssh connection to ios devices
$cmd 200 $skip tcp from xxx.xxx.xxx.xxx to any ssh out via $mvc $sk
# Reject & Log all unauthorized outging connections to the LAN
$cmd 0299 deny log all from any to any out via $mvc
...
# Allow DNS forward
$cmd 0300 $skip tcp from xxx.xxx.xxx.xxx to 8.8.8.8, 8.8.4.4 domain in via $lan $sk
$cmd 0301 $skip udp from xxx.xxx.xxx.xxx to 8.8.8.8, 8.8.4.4 domain in via $lan $ks
...
#################################################################
# Make NAT and allow through
#################################################################
# This is skipto location for outbound stateful rules
$cmd 0900 divert natd ip from any to any out via $pub
$cmd 0901 divert natd2 ip from any to any out via $mvc
$cmd 0902 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 0999 deny log all from any to any
################ End of IPFW rules file ###############################
So all traffic going out through the em0 interface should be NATed to the em0 IP address and all traffic going out through the em3 interface should be NATed to the em3 IP address.
I added the natd2 service to the /etc/services file:
Code:
natd 8668/divert # Network Address Translation
natd2 8669/divert # Network Address Translation
Thanks for your help.
Cheers Daniel