誰もがnatを使った単純なipfw設定とdhcpを使った2つのニックを書き留めますか?私の設定は次のとおりです。
- ue0 --> dhcpdサーバーとLAN
- ue1 --> dhclientと他のルータとのインターネット
これは動作しない別の構成です。
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether xxxxxxxxxxf:7f
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8800<SIMPLEX,MULTICAST> metric 0 mtu 65536
groups: ipfw
ue1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether xxxxxxxx:ad
inet 172.20.10.2 netmask 0xfffffff0 broadcast 172.20.10.15
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
/etc/ipfw.conf
ipfw -q -f flush
c="ipfw"
cmd="ipfw -q add"
cmdnat="ipfw -q nat"
pif="ue1" # INTERFACCIA INTERNET
lan="ue0" # INTERFACCIA LAN
$c disable one_pass
$cmd 00005 allow all from any to any via $lan
$cmd 00010 allow all from any to any via lo0
$cmd 00101 check-state
$cmd 00110 allow tcp from any to 8.8.8.8 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 8.8.8.8 53 out via $pif keep-state
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
$cmd 00250 allow icmp from any to any out via $pif keep-state
$cmd 00260 allow udp from any to any 123 out via $pif keep-state
# $cmdnat 1 config if $pif same_ports unreg_only reset
# $cmdnat 1 config if $pif same_ports
ipfw nat 123 config ip 172.20.10.2
# $cmd 105 nat 10 ip from any to any in via $pif
# $cmd 500 nat 1 ip from any to any out via $pif keep-state
# $cmd 10000 nat 1 ip4 from any to any out xmit
$cmd 00299 deny log all from any to any out via $pif
/etc/rc.conf
sshd_enable="NO"
usbmuxd_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
growfs_enable="YES"
netif_enable="YES"
ifconfig_ue1="SYNCDHCP"
ifconfig_ue0="inet 192.168.1.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_flags="ue0"
ntpdate_enable="YES"
mixer_enable="NO"
ntpd_enable="YES"
firewall_enable="YES"
# firewall_type="simple"
gateway_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_logif="YES"