#cd /usr/src/sys/i386/conf
#cp GENERIC IPFWKERNEL
# vi IPFWKERNEL
Add the following options & Save.
options IPFIREWALL # required for IPFW
options IPFIREWALL_VERBOSE # optional; logging
options IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entries
options IPDIVERT # needed for natd
Then
# cd /usr/src
# make buildkernel KERNCONF=IPFWKERNEL
Install the new kernel:
# make installkernel KERNCONF=IPFWKERNEL
Now reboot the system:
# reboot
Step # 1: Enabling IPFW
Open /etc/rc.conf file
# vi /etc/rc.conf
Append following settings:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
Ensure your machine acts as a gateway and a firewall by including the following lines in /etc/rc.conf:
gateway_enable="YES"
Step # 2 Write a Firewall Rule Script
You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:
# vi /usr/local/etc/ipfw.rules
Append following code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
# deny and log everything
$IPF 500 deny log all from any to any
Save and close the file.
Step # 3: Start a firewall
You can reboot the box or you could reload these rules by entering on the command line.
# sh /usr/local/etc/ipfw.rules
Task: List all the rules in sequence
Type the following command:
# ipfw list
####For NAT######
Ensure the following line appears in /etc/services:
natd 8668/divert # Network Address Translation socket
This can be added to /etc/rc.local (NOTE: /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Starting stuff at boot time). Remember to change ed0 to your external network card (i.e. the one that goes to your ISP).
#natd -interface ed0
Redirect the traffic to natd
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
Making these changes permanent
These steps will ensure that natd is configured when you need to reboot.
Make sure the following is in /etc/rc.conf. Remember to change ed0 to your external network card (i.e. the one that goes to your ISP). These lines tell the system that you will be using natd, the interface which needs to be diverted, and the flags which natd needs. In this case, we'll be adding our flags to a file for ease of maintenance..
natd_enable="YES"
natd_interface="ed0"
natd_flags="-f /etc/natd.conf"
Then make sure the following is in /etc/natd.conf. Remember to change ed0 to your external network card (i.e. the one that goes to your ISP).
interface ed0
use_sockets yes
same_ports yes
The last two lines should ensure that DCC works correctly under IRC. If you are using DHCP, you should also add the following line:
dynamic yes
If it doesn't work
If the above does not get things working for you, then please add your comments. Perhaps my instructions are defective. I don't think so, but please tell me of any problems you had and what you did to correct them.
Additional Information
if you faced error: natd: Unable to create divert socket.: Protocol not supported
# Required For IPFW kernel firewall support firewall_enable="YES" # Start daemon firewall_script="/etc/ipfw.rules" # run my custom rules firewall_logging="YES" # Enable events logging natd_enable="YES" # Enable IPFW nat function natd_interface="rl0" natd_flags="-dynamic -m -u -f /etc/natd.conf"
No comments:
Post a Comment