download

Network Configuration—FirewallsAs of FreeBSD 7, you can enable in-kernel NAT by adding appropriate options to thekernel configuration:optionsoptionsLIBALIASIPFIREWALL_NATOf course you also need to add other IPFW options to your kernel configuration toenable IPFW. By enabling this option, ipfw will be able to perform network addresstranslation, without any help from external daemons such as natd. Now you candirectly use ipfw's nat rule to perform any type of address translation.Typical examples of ipfw nat rule look like the following commands:# ipfw add nat 50 ip from any to any via fxp0# ipfw nat 50 config if bge0 log unreg_onlyThis is equivalent to the previous example where we used natd. We added a natrule that is applied on all ip traffic that is passing from interface fxp0. On the nextline, we configured that nat is to translate all traffic from private addresses (henceunreg_only parameter) to the IP address that is configured on bge0 (the if bge0parameter), and also log the statistics.For more information about various options of ipfw's built-in NAT functionality, it isrecommended that you read ipfw(8) manual pages.As noted earlier, pf can also be used for network address translation. PF has builtinaddress translation capability by design and there is no need for any externaldaemon or any special kernel configuration to enable PF NAT.You should add only the necessary NAT configuration to your PF configuration fileat /etc/pf.conf, under "translation" section. A typical PF NAT clause looks like thefollowing code:nat on fxp0 from 192.168.0.0/16 to any -> (bge0)This rule simply does the same as in our previous scenario. Any traffic from a privateaddress that we have specified manually will be translated to an ip address on thebge0 interface. Please note the bge0 in parentheses means that PF will detect andtake care of IP address changes on bge0 interface for translation.[ 200 ]