Firewalls – converting from IP filter to natd/ipfwIn a previous diary note, I wrote about IP Filter (an alternative firewall and NAT to ipfw/natd). I wrote about how to install IP Filter, how to configure it, and how to add rules. This article will be about removing IP Filter and replacing it with natd/ipfw.
This section assumes you already have a working dual homed system (i.e. you have two network cards in the computer and they both work) and merely wish to revert to the other software. It will go through most of the steps you need.
NOTE: This article mentions /etc/rc.local which is deprecated; /usr/local/etc/rc.d/ is now recommended instead; see Starting stuff at boot time.
Removing IP Filter
1. Don’t load the kernel moduleRemove the following line from /etc/rc.local (NOTE: /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Installing IP Filter 3.3.3 for an example):
3. Don’t load the NAT RulesRemove the following line from /etc/rc.local (NOTE: /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Installing IP Filter 3.3.3 for an example):
ipnat -f /etc/ipnat.conf
Adding ipfw/natdI’ve put the instructions for adding ipfw/natd to your system in a separate article. It’s often asked for. Please use those instructions if you’ve never installed them before.
Reusing an existing kernelYou need a kernel which has been compiled using these options:
options IPFIREWALL options IPDIVERT
If you’ve already built such a kernel, here’s how to get it intalled again:
- cd ../../compile/ONEDISK2NICS/
- make install
- shutdown -r now
Remeber to ensure your machine acts as a gateway and a firewall by including the following lines in /etc/rc.conf:
echo " natd" && natd -f /etc/natd.conf
where /etc/natd.conf contains my natd options.
That should be enough to get your old firewall rules in and running. For information on rules, see Firewall rules.