diff options
author | rafan <rafan@FreeBSD.org> | 2008-01-21 04:41:18 +0000 |
---|---|---|
committer | rafan <rafan@FreeBSD.org> | 2008-01-21 04:41:18 +0000 |
commit | d70dd9e5a0b201fae18c1a78daf6d2024d1f4b06 (patch) | |
tree | 2829456ad10f556bb437546d49a99abad21d63a0 /etc | |
parent | d48c6f0552fc34daa7e641bf8a85b7360e3a5c6e (diff) | |
download | FreeBSD-src-d70dd9e5a0b201fae18c1a78daf6d2024d1f4b06.zip FreeBSD-src-d70dd9e5a0b201fae18c1a78daf6d2024d1f4b06.tar.gz |
Improve kernel NAT support in rc.firewall
- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf
Tested by: Albert B. Wang <abwang at gmail.com>
MFC after: 1 month
Diffstat (limited to 'etc')
-rw-r--r-- | etc/defaults/rc.conf | 3 | ||||
-rw-r--r-- | etc/rc.firewall | 8 |
2 files changed, 10 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 356cec2..78f0659 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -119,6 +119,9 @@ firewall_logdeny="NO" # Set to YES to log default denied incoming firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports # for which denied incoming packets are not # logged. +firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) +firewall_nat_interface="" # Public interface or IPaddress to use +firewall_nat_flags="" # Additional configuration parameters ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) diff --git a/etc/rc.firewall b/etc/rc.firewall index fa2558d..c3d11ab 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -131,7 +131,13 @@ case ${firewall_type} in case ${firewall_nat_enable} in [Yy][Ee][Ss]) if [ -n "${firewall_nat_interface}" ]; then - ${fwcmd} nat 123 config if ${firewall_nat_interface} log + if echo "${firewall_nat_interface}" | \ + grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then + firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}" + else + firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" + fi + ${fwcmd} nat 123 config log ${firewall_nat_flags} ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; |