download

Chapter 12Oct 9 19:43:34 home kernel: ipfw: 60 Accept TCP 192.168.0.222:52195192.168.0.5:22 in via fxp0In the above example you can see the SSH traffic (TCP port 22) between192.168.0.222 and 192.168.0.5 being transmitted and received on the fxp0interface. The log entry includes the date and time, as well as the direction ofthe packet.Network Address Translation (NAT)IPFW has built-in support for NAT function that can be enabled using thenat keyword.IPFW's NAT support would be available, only if kernel is configured withfollowing options:optionsoptionsIPFIREWALL_NATLIBALIASTo add a NAT rule, a firewall rule for matching traffic should be added:add nat 100 ip from any to anyThis will create a new NAT instance (in this case the instance number is 100) thatmatches all IP traffic. Then you should add another rule that contains more detailedconfiguration about this NAT instance:nat 100 config ip 81.20.55.1 deny_in unreg_onlyThis configuration statement indicates the NAT behavior. In this case, the matchedpackets will be translated to the IP address 81.20.55.1 (which is obviously alreadyconfigured on an interface). There are also two other options used in this sample.The deny_in keyword indicates that all incoming connections are denied. And theother keyword, unreg_only, tells IPFW that only packets coming from unregisteredIP address space (RFC1719) should be translated (which is what we use NAT for inmost cases).The following is a list of acceptable keywords in NAT configuration with ashort description:KeywordipifDescriptionIndicates the IP address that should be used for aliasing. An IP addressshould be specified after this keyword.Indicates an Interface to be used for aliasing, instead of an IP address.An interface name should be used after this keyword.[ 191 ]