Gateway is a machine that is standing at the edge of the network, providing communication from local to other networks. Main propose of this article is to create a gateway based on FreeBSD. I know that there are many ways to do it, but this is mine. Lets start!

Lets say that we have in our system two interfaces:

bge0 - outside interface (WAN/example: 111.222.333.444/32 single IP)
re0 - inside interface (LAN/example: 192.168.1.0/24 - one subnet(or more) )

IPFILTER (IPF)

Its a tool, created for *BSD,SunOS,Solaris. Its working like other firewalls (iptables,ipchains,ipfw) but has a nice set of rules, that are missing in other firewalls. If we want to have it on our FreeBSD router, we will need to add couple line to system kernel (more info in /usr/src/sys/conf/NOTES)

options IPFILTER        # IPFILTER support 
options IPFILTER_LOG    # enable loging for IPF

After that you will need to rebuild your kernel and reboot the system. If the kernel is ready, we can go to /etc/rc.conf to do the basic configuration:

# Start IPFILTER during the boot process 
ipfilter_enable="YES"

# Path for ipf with "cleaning all" options (-Fa) and load config file (-f from a file)
ipfilter_program="/sbin/ipf -Fa -f"

#Our rules
ipfilter_rules="/etc/ipf.rules"

#-E flag enable ipfilter firewall
ipfilter_flags="-E"

#Our firewall type and state
firewall_enable="YES"
firewall_type="OPEN"

#Rules in case of ipv6
ipv6_ipfilter_rules="/etc/ipf6.rules"

Now we can create a default set of rules, that will allow any connections

pass in from any to any
pass out from any to any

This is the simples ipf configuration, for more please go here http://www.freebsd.org/doc/handbook/firewalls-ipf.html

To reload ipfilter type: ipf -Fa -f /etc/ipf.rules - this command will flush all rules and then load the rules set from file.

IPNAT

This is what is missing to have a gateway on our FreeBSD server. Its a IP Network Address Translation (NAT) and we will use it to translate local ip range to other (outside) networks. Default NAT rules should be here /etc/ipnat.rules and have inside mappings like this:

map bge0 192.168.1.0/255.255.255.0 -> 111.222.333.444/32 proxy port ftp ftp/tcp
map bge0 192.168.1.0/255.255.255.0 -> 111.222.333.444/32 portmap tcp/udp auto
map bge0 192.168.1.0/255.255.255.0 -> 111.222.333.444/32

This will provide internet access for our network.
If we want to redirect a port:

# Port 80 redirection
rdr bge0 111.222.333.444/32 port 80 -> 192.168.1.2 port 80

We can set up different kind of rules:

rdr re0 0/0 port 80 -> 127.0.0.1 port 8080

This line will redirect treffic from re0 (LAN network)port 80 to port 8080. It will force network users to use a proxy server.

To reload our IPNAT rules type: ipnat -CF -f /etc/ipnat.rules It will clean NAT table (-CF) and load our config file (-f)

Last step to our gateway is /etc/rc.conf and final modifications:

#our server as a gateway
gateway_enable="YES"

#load IPNAT
ipnat_enable="YES"

#ipnat path with reload options
ipnat_program="/sbin/ipnat -CF -f"

#ipnat rules path
ipnat_rules="/etc/ipnat.rules"

Thats all, for be sure that everything is in our /etc/rc.conf
reboot the server and check if you have internet access on your connected desktop or jail. This config can be used to firewall your jails on the server :)

IPF + IPNAT - Simple gateway with FreeBSD

Bart Jakubowski

Bart Jakubowski

IPFILTER (IPF)

IPNAT

FreeBSD init script

user auto logout in bash/tcsh/ssh

IPFILTER (IPF)

IPNAT

Subscribe to bart.jakubowski.in

Subscribe to bart.jakubowski.in