The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Firewalls - converting from IP filter to natd/ipfw 29 October 1998
Need more help on this topic? Click here
This article has no comments
Show me similar articles
In a previous diary note, I wrote about IP Filter (an alternative firewall and NAT to ipfw/natd).  I wrote about how to install IP Filter, how to configure it, and how to add rules.  This article will be about removing IP Filter and replacing it with natd/ipfw.

This section assumes you already have a working dual homed system (i.e. you have two network cards in the computer and they both work) and merely wish to revert to the other software.  It will go through most of the steps you need.

NOTE: This article mentions /etc/rc.local which is deprecated;  /usr/local/etc/rc.d/ is now recommended instead; see Starting stuff at boot time.
Removing IP Filter
1. Don't load the kernel module
Remove the following line from /etc/rc.local (NOTE:  /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Installing IP Filter 3.3.3 for an example):

modload /lkm/if_ipl.o
3. Don't load the NAT Rules
Remove the following line from /etc/rc.local (NOTE:  /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Installing IP Filter 3.3.3 for an example):
ipnat -f /etc/ipnat.conf
Adding ipfw/natd
I've put the instructions for adding ipfw/natd to your system in a separate article.   It's often asked for.  Please use those instructions if you've never installed them before.
Reusing an existing kernel
You need a kernel which has been compiled using these options:
options IPFIREWALL
options IPDIVERT

If you've already built such a kernel, here's how to get it intalled again:

  1. cd ../../compile/ONEDISK2NICS/
  2. make install
  3. shutdown -r now

Remeber to ensure your machine acts as a gateway and a firewall by including the following lines in /etc/rc.conf:

gateway_enable=YES
firewall_enable=YES

I also have the following in /etc/rc.local (NOTE:  /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Installing IP Filter 3.3.3 for an example):

echo " natd"  && natd -f /etc/natd.conf

where /etc/natd.conf contains my natd options.

That should be enough to get your old firewall rules in and running.  For information on rules, see Firewall rules.

Need more help on this topic? Click here
This article has no comments
Show me similar articles
Servers and bandwidth provided by New York Internet, SuperNews, and RootBSD. Valid HTML, CSS , and RSS
Copyright © 1997-2016 Dan Langille
All rights reserved