Gateways – installing natd/ipfw

 Firewalls/Gateways  Add comments
Oct 291998
 

Gateways – installing natd/ipfw

Please note: if you are running PPP, then you don’t want natd.  PPP has aliasing built in.  Unfortunately, I’ve never used PPP, so I suggest you follow the Pedantic PPP Primer of the FreeBSD Handbook or perhaps just see the man pages for information on -alias.

What’s a gateway?

A gateway allows one computer to talk to an outside network and channel requests from other computers.  If you have more than one computer, it makes sense to have one of them act as the gateway to your ISP.  It allows all of your computers to share a single modem.  It’s easy and it’s cheap.

One of the best ways to create a gateway is by using ipfw and natd (more information on natd).  ipfw is an Internet Packet Firewall (more information on firewalls).  Even though you may not want a firewall, it’s the best way to achieve a gateway.

Installation instructions

These instructions are taken directly from the FreeBSD natd manual.  Please refer to that document for further information.  This section assumes that the network card which is attached to your ISP is ed0.   You should substitute your own interface if necessary.

The following steps will get you going.  However, at the end of this section, I’ll show you how to make these changes permanent.

1. You need FreeBSD version 2.2 or higher

Obtaining FreeBSD is not covered in this section.  Please refer to the Installing FreeBSD section of the FreeBSD handbook.

2. Build a custom kernel

I highly recommend you read Configuring the FreeBSD Kernel section of the FreeBSD handbook.  Please pay special attention to the Building and Installing a Custom Kernel section.  The rest of this section contains the highlights for those that know how to build a kernel.

Include these options in your new kernel.

options IPFIREWALL
options IPDIVERT

If this is the first time you’ve created a new kernel, you may wish to reboot and install that new kernel.  Make sure your kernel reboots safely with no error messages.  If all you have done is the above changes, it should go very smoothly.

3. Create a gateway/firewall

Ensure your machine acts as a gateway and a firewall by including the following lines in /etc/rc.conf:
gateway_enable=YES
firewall_enable=YES

4. Configure your interface

Make sure your network cards are already configured.  Sorry, but I don’t cover that here.  If you’re using ppp, make sure you start ppp before running natd.

5. Add natd to your services

Ensure the following line appears in /etc/services:
natd     8668/divert  # Network Address Translation socket

6. Start natd

This can be added to /etc/rc.local (NOTE:  /etc/rc.local is deprecated; use /usr/local/etc/rc.d/ instead; see Starting stuff at boot time and Starting stuff at boot time).   Remember to change ed0 to your external network card (i.e. the one that goes to your ISP).
natd -interface ed0

7. Redirect the traffic to natd

You will need at least the following commands.  Remember to change ed0 to your external network card (i.e. the one that goes to your ISP).
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any

See FreeBSD natd manual for more information.

8. Reboot

In order for the changes you’ve made to take effect, you’ll need to reboot.

Things should run smoothly now.

Making these changes permanent

These steps will ensure that natd is configured when you need to reboot.

Make sure the following is in /etc/rc.conf.  Remember to change ed0 to your external network card (i.e. the one that goes to your ISP).  These lines tell the system that you will be using natd, the interface which needs to be diverted, and the flags which natd needs.  In this case, we’ll be adding our flags to a file for ease of maintenance..

natd_enable="YES"
natd_interface="ed0"
natd_flags="-f /etc/natd.conf"

Then make sure the following is in /etc/natd.conf.  Remember to change ed0 to your external network card (i.e. the one that goes to your ISP).

interface ed0
use_sockets yes
same_ports yes

The last two lines should ensure that DCC works correctly under IRC.  If you are using DHCP, you should also add the following line:

dynamic yes

If it doesn’t work

If the above does not get things working for you, then please add your comments. Perhaps my instructions are defective.  I don’t think so, but please tell me of any problems you had and what you did to correct them.

  13 Responses to “Gateways – installing natd/ipfw”

  1. Benjamin Lutz says:
    October 28, 2001 at 8:24 pm

    (posted by Dan Langille)

    I am in the situation of having a FreeBSD box act as gateway for net access.
    As I’m only assigned a single IP, I’m using natd for connecting my LAN to
    the net (only one machine though, so its basically "redirect_address
    10.0.0.2 0.0.0.0", heh). I too encountered the problem of not being able to
    initiate DCC’s from mIRC.

    I enabled -use_sockets and -same_ports, yet this would not help. After
    searching around on the net, I found this page:
    <A HREF="http://www.freebsd.org/cgi/query-pr.cgi?7669">http://www.freebsd.org/cgi/query-pr.cgi?7669</A&gt;.

    Let me just quote the interesting part from it:

    mIRC, a popular MS Windows-based IRC client, can determine the address
    that it should use for itself in DCC-based activities in one of two
    ways. It can query the OS for its address, or it can query the IRC
    server. In the latter case, if the connection between the box in
    question and the IRC server includes a FreeBSD box performing address
    translation via ppp -alias (or other libalias-based system), then the
    address returned is the address of the FreeBSD box. This means that
    DCC requests from the mIRC client are sent out with the FreeBSD box’s
    address encoded in the request.

    libalias includes a facility to examine outgoing packets for IRC DCC
    packets and perform the necessary translation. However, it only
    performs this if the address encoded in the DCC packet is that of a
    system being aliased. In the case where the IRC client gets its
    address from the server, then libalias will not perform this
    translation.

    Now, I’m not sure if this issue (limitation?) is natd’s or mirc’s fault; I
    suppose both are doing their job, hehe. Anyway, the workaround is changing
    mirc options from "Lookup Method: Server" to "Lookup Method: Normal". This
    will change the IP mirc uses to 10.0.0.2 (in my case), opposite to the IP
    assigned by the ISP when using server lookup. The best thing would probably
    be making mirc use the two different IP’s for normal IRC stuff and DCC. I’m
    gonna write mirc’s author about it.

    • gromm says:
      September 9, 2002 at 9:33 am

      Also, some IRC servers (or maybe clients) require that your inetd server be visible for DCC sends, so make sure you either forward your port 113 or run an inetd server on your firewall.

    • dot says:
      January 27, 2003 at 11:25 am

      Not inetd, identd. There’s probably a bunch of really simple/small ones in ports.

    • Another Solution says:
      August 13, 2003 at 4:10 am

      One thing I figured out in mIRC when using natd is that in mIRC’s DCC options you can specify a range of ports to use for DCC. Simply do this, and forward those same ports to the windows box from natd.conf and your DCC’s should work flawlessly either way.

  2. Nick Rogness says:
    October 28, 2001 at 8:45 pm

    (posted by Dan Langille)

    See also <A HREF="http://freebsd.rogness.net/basic/nat.html">http://freebsd.rogness.net/basic/nat.html</A&gt;

    • MS.KWON says:
      February 26, 2002 at 9:05 am

      Hello Nick
      Sorry, I am not experienced in English.
      I want to know about installing IPFW/NAT.
      I know install IPFW/NAT in kernel compiling.
      I want to know install IPFW/NAT as module.
      in example
      kldstat ipfw.ko

      NAT cannnot running.
      how I install IPFW/NAT as modules.

      Have a nice day !!!!!

  3. My Name says:
    December 3, 2001 at 2:40 am

    I recall the having the ability to write powerful statements like:

    ipfw add 100 check-state
    ipfw add 101 allow all from me to not me keep-state via tun0

    utilizing the wonderful "me" and "not" clauses.
    For some reason it is only the "me" clause that works now,
    seemingly "not" has been dropped – or perhaps the syntax has
    been changed, but I can not find the changes.

    I would appreciate any information relating to this topic.

    thanks in advance,
    sereciya@mail.csuchico.edu

  4. Krypto says:
    April 10, 2002 at 1:08 pm

    Hi, I’m using NATd on FreeBSD 4.5, used this ruleset and instructions, and cant get internet to my other machine. Problem lies with the fact that my bandwidth is DEAD. On a download i normall get 130-150kb/s, i now get 30 on THIS machine. My other machine d/ls the file at about 3kb/s. I run cable, and have NO clue why this is happening. I tried dummynet stuff, couldnt really figure out how a protocol to limit bandwidth would make it flow right.. ANY help, tutorials, rulesets to make cable work correctly bandwidth wise is MUCH appreciated.