NAT and Firewall Configuration ?

[Nelis Lamprecht]

Hi List

I am in the process of configuring NAT and a firewall on FreeBSD 4.7 Stable. I have configured the external interface with 2 class C addresses 192.x.x.1 and 192.x.x.2. and the internal interface with 192.168.x.1 ( gateway )
I have also configured natd_flags="-redirect_address 192.168.x.3 192.x.x.2" which if I'm correct will redirect all traffic destined for 192.x.x.2 to 192.168.x.3 ?
My question is have I done everything correct so far and what rule would I use for my firewall so that natd will work the way I want it ?
At the moment traffic is not being redirected to 192.168.x.3 and I can't connect to anything external via 192.168.x.3 and not expected too either till I get your help ( proxy excluded )
I hope this information is enough for you to help me.( see below for configurations ) Your time, help and suggestions would be much appreciated. Real ip's have been omitted for obvious reasons.

Many thanks and regards,
Nelis

My firewall rules are as follows:

#####ipfw ruleset
#allow all outbound and only inbound TCP connections I've created
add 00301 check-state
#add 00302 deny log tcp from any to any established
add 00302 allow tcp from any to any established
add 00303 allow tcp from any to any out setup keep-state
add 00304 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup
add 00305 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup
add 00306 allow tcp from any to 192.168.x.0/27 in recv rl1
#allow all outbound and only inbound UDP connections I've created
add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0
add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0
add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0
add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state in via rl0
add 00404 allow udp from any to 192.168.x.0/27 in recv rl1
add 00405 allow udp from any to any out
#allow some icmp types (codes not supported)
##allow path-mtu in both directions
add 00600 allow icmp from any to any icmptypes 3
##allow source quench in and out
add 00601 allow icmp from any to any icmptypes 4
##allow me to ping out and receive response back
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
##allow people to ping me
add 00604 allow icmp from any to any icmptypes 8 in
add 00605 allow icmp from any to any icmptypes 0 out
##allow me to run traceroute
add 00606 allow icmp from any to any icmptypes 11 in
#allow ident requests
add 00700 allow tcp from any to any 113 keep-state setup
#deny syn and fin bits used for OS finger printing using nmap
add 00701 deny log tcp from any to any in tcpflags syn,fin
#log anything that falls through
add 09000 deny log ip from any to any

My rc.conf is as follows:

defaultrouter="192.x.x.125"
hostname="x.x.x"
ifconfig_rl0="inet 192.x.x.1 netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 192.x.x.2 netmask 255.255.255.255"
ifconfig_rl1="inet 192.168.x.1 netmask 255.255.255.0"
kern_securelevel_enable="NO"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-redirect_address 192.168.x.3 192.x.x.x2"
inetd_enable="NO"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
nfs_reserved_port_only="YES"
## Setup NFS
# portmap_enable="YES"
# nfs_server_enable="YES"
# mountd_flags="-r"
# ntpdate_enable="YES"
xntpd_enable="YES"
sshd_enable="YES"
sshd_program="/usr/local/sbin/sshd"
usbd_enable="NO"
sendmail_enable="NONE"
named_enable="YES"
named_program="/usr/local/sbin/named"
fsck_y_enable="YES"
# enable_quotas=``YES''
# check_quotas=``NO''
## Required for ipfw support
firewall_enable="YES"
#firewall_script="/etc/rc.firewall"
#firewall_type="OPEN"
firewall_type="/etc/ipfw.rules"
firewall_quiet="YES"
firewall_logging_enable="YES"

Kernel Options:

machine i386
cpu I586_CPU
ident xxxx
maxusers 20

options INET
options FFS
options SOFTUPDATES
options MFS
options MD_ROOT
options NFS
options NFS_ROOT
options MSDOSFS
options CD9660
options CD9660_ROOT
options PROCFS
options COMPAT_43
options UCONSOLE
options USERCONFIG
options VISUAL_USERCONFIG
options KTRACE
options SYSVSHM
options SYSVMSG
options SYSVSEM
options P1003_1B
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM
options KBD_INSTALL_CDEV
options USER_LDT
options SC_DISABLE_REBOOT
options QUOTA
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE_LIMIT=10
options ACCEPT_FILTER_HTTP
options ACCEPT_FILTER_DATA
options IPSTEALTH

Other configurations shouldn't be needed....?


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message