Ian Smith writes:
> > So ... double-checking I'm doing this right:
> >
> > 1) in /boot/loader.conf:
> >
> > ipfw_load="YES"
> > ipdivert_load="YES"
>
> I thought from your earlier mail that you wanted to use in-kernel
> NAT?
I want whatever works. :-)
Beyond that ... all other things being more-or-less equal I'll
do this with modules.
Let's build that. So in /etc/sysctl.conf:
net.inet.ip.fw.default_to_accept="1"
net.inet.ip.fw.verbose="1"
net.inet.ip.fw.verbose_limit="100"
check.
> I believe all these can be accomplished with modules on GENERIC
> kernel, at least on 8.x, with the exception of FIREWALL_FORWARD
> functionality which does require a custom kernel as it messes
> with lots of ip paths.
This machine has a custom kernel, so that's not a an issue.
And in /boot/loader.conf:
ipfw_load="YES"
ipfw_nat="YES" # in-kernel ipfw nat
libalias="YES" # for in-kernel ipfw nat
check.
and in the kernel config:
#options IPFIREWALL #firewall
#options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD
#options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
#options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
#options IPDIVERT
#options IPFIREWALL_NAT #ipfw kernel nat support
#options LIBALIAS # required for NAT
check.
This combination will get me a) ipfw, using the standard
rc.conf "firewall_" variables, and b) NAT ... do I still need to
have a "nat" setting in the firewall rules?
Less confused than last time,
Robert Huff
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
