请教FreeBSD ipfw nat 内核级端口转发问题...

KDE

cat /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"

#!/bin/sh
kldload ipfw_nat
ipfw -q -f flush
ipfw nat 1 config if em0 redirect_port tcp 10.1.1.254:80 80
ipfw -q -add 65535 deny ip from any to any

防火墙打算以白名单模式运行,所以最后是拒绝没有允许的流量.

FreeBSD 系统版本12.2         运行在家里局域网esxi
FreeBSD 网络接口                "em0"
FreeBSD IP地址                        "10.1.1.230"
需要转发的地址                        "10.1.1.254"
需要转发的端口                        "TCP 80"

当我关闭防火墙,转发命令才生效,我想知道转发端口还需要什么规则的???
关闭防火墙的命令,在拒绝前插入.
ipfw -q -add 65534 allow ip from any to any

-------------

cat <<EOF> /root/ipfw
#!/bin/sh
kldload ipfw_nat
ipfw -q -f flush
ipfw nat 1 config if em0 redirect_port tcp 10.1.1.254:80 80
ipfw -q add 00100 allow all from any to any via lo0
ipfw -q add 00200 allow icmp from any to any
ipfw -q add 00300 allow tcp from any to any 22,2222,80,443,8443,53,853 setup keep-state
ipfw -q add 00400 allow udp from any to any 53,853,4000,5000 keep-state
ipfw -q -add 65535 deny ip from any to any
EOF

这是白名单模式....

关了防火墙ipfw转发才生效....

optimism

这就要等个大佬了

KDE

optimism 发表于 2021-7-15 20:40
这就要等个大佬了

官方论坛也问了,在等回复.....

https://forums.freebsd.org/threa ... ward-ports.81337///

LiuJia

楼主您好，

是否可能是：

Sometimes you may want to mix NAT and dynamic rules.  It could be
     achieved with record-state        and defer-action options.  Problem is, you
     need to create dynamic rule before        NAT and        check it after NAT actions (or
     vice versa) to have consistent addresses and ports.  Rule with keep-state
     option will trigger activation of existing        dynamic        state, and action of
     such rule will be performed as soon as rule is matched.  In case of NAT
     and allow rule packet need        to be passed to        NAT, not allowed as soon is
     possible.

     There is example of set of        rules to achieve this.        Bear in        mind that this
     is        example        only and it is not very        useful by itself.

     On        way out, after all checks place        this rules:

           ipfw        add allow record-state skip-action
           ipfw        add nat        1

     And on way        in there should        be something like this:

           ipfw        add nat        1
           ipfw        add check-state

     Please note, that first rule on way out doesn't allow packet and doesn't
     execute existing dynamic rules.  All it does, create new dynamic rule
     with allow        action,        if it is not created yet.  Later, this dynamic rule is
     used on way in by check-state rule.

https://www.freebsd.org/cgi/man.cgi?ipfw(8)

KDE

LiuJia 发表于 2021-7-16 15:42
楼主您好，

是否可能是：

ipfw nat 1 config redirect_port tcp 10.1.1.254:80 80
ipfw add nat 1 all from any to any
ipfw add allow record-state skip-action
ipfw add nat 1
ipfw add check-state

再次复习ipfw官网man,还是老问题...
加了ipfw add nat 1 all from any to any才通,然而加了这个防火墙就相当于关闭了,没开放的端口泄露出去了...

LiuJia

KDE 发表于 2021-7-16 21:16
ipfw nat 1 config redirect_port tcp 10.1.1.254:80 80
ipfw add nat 1 all from any to any
ipfw add a ...

您好，

我在我本地的FreeBSD机试了一下，或许重点是需要设置skipto的规则。即用skipto来放行nat的的相应通讯，但拦截其它。

例子一：https://docs.freebsd.org/doc/12.2-RELEASE/usr/local/share/doc/freebsd/zh_CN.UTF-8/books/handbook/firewalls-ipfw.html

例子二：https://www.neelc.org/posts/freebsd-ipfw-nat/

KDE

LiuJia 发表于 2021-7-25 11:29
您好，

我在我本地的FreeBSD机试了一下，或许重点是需要设置skipto的规则。即用skipto来放行nat的的相应 ...

谢谢大佬答复

官方说ipfw的NAT一般用户LAN之后的,感觉没有firewalld iptables方便

现在转RHEL系了...注册了开发者账户,可以免费使用1年,无限续签...