救急！！！做NAT(ipf) ,内外网都可通，就是不能NAT!!都装两遍了！

likuku

救急！！！做NAT(ipf) ,内外网都可通，就是不能NAT!!都装两遍了！
马上把 内核配置 rc.conf ipf.rules ipnat.rules 传上来。

老大们给看看！急需！内外网都通，就是没办法NAT!
先通，安全性可暂不考虑！
我是没办法了！！

likuku

#
# NET -- NET kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US ... lconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.51.2.2 2003/03/25 23:35:15 jhb Exp $

machine i386
cpu I686_CPU
ident NET
maxusers 0



options INET #InterNETworking

options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories

options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=0 #Delay (in ms) before probing SCSI

options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options CPU_ENABLE_SSE
options AUTO_EOI_1

#NETWORK#
#IPF
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_DEFAULT_BLOCK #block all packets by default


# NET SAFE
options IPSTEALTH #support for stealth forwarding
options RANDOM_IP_ID
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN

# OPTION
makeoptions CONF_CFLAGS=-fno-builtin #Don't allow use of memcmp, etc.

options PANIC_REBOOT_WAIT_TIME=0

options VGA_NO_FONT_LOADING # don't save/load font
options VGA_NO_MODE_CHANGE # don't change video modes

options MAXCONS=4 # number of virtual consoles

options SC_DISABLE_DDBKEY # disable `debug' key
options SC_DISABLE_REBOOT # disable reboot key sequence
options SC_HISTORY_SIZE=20 # number of history buffer lines

# You can selectively disable features in syscons.
options SC_NO_CUTPASTE
options SC_NO_FONT_LOADING
options SC_NO_SYSMOUSE

device isa
device eisa
device pci

# ATA and ATAPI devices

device ata
device atadisk # ATA disk drives

# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1

device vga0 at isa?


# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100

device agp # support several AGP chipsets

# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device rl # RealTek 8129/8139

# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device pty # Pseudo-ttys (telnet etc)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter

likuku

# -- sysinstall generated deltas -- # Sun Feb 29 01:11:45 2004
# -- sysinstall generated deltas -- # Sun Feb 29 01:15:50 2004
# Created: Sun Feb 29 01:11:45 2004
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
kern_securelevel_enable="NO"
nfs_reserved_port_only="YES"
ifconfig_rl0="inet 192.168.0.222 netmask 255.255.255.0"
#ifconfig_rl1="inet 192.168.0.235 netmask 255.255.255.0"
ifconfig_rl1="inet 172.16.0.1 netmask 255.255.0.0"
gateway_enable="YES"
defaultrouter="192.168.0.100"
sshd_enable="NO"
inetd_enable="NO"
tcp_extensions="NO"
hostname="SV.QDNET.NET"
check_quotas="NO"
sendmail_enable="NONE"
usbd_enable="NO"
syslogd_enable="NO" # Run syslog daemon (or NO).
fsck_y_enable="YES" # Set to YES to do fsck -y if the initial preen fails.

#####NTP-Network Time Protocol####
ntpdate_enable="YES" # Run ntpdate to sync time on boot (or NO).
ntpdate_program="/usr/sbin/ntpdate" # path to ntpdate, if you want a different one.
ntpdate_flags="211.39.143.103" # Korea Flags to ntpdate (if enabled).
#####IPF####
ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
###SYN-FIN###
# For the following option you need to have TCP_DROP_SYNFIN set in your
tcp_drop_synfin="YES" # Set to YES to drop TCP packets with SYN+FIN
###ICMP###
icmp_drop_redirect="YES" # Set to YES to ignore ICMP REDIRECT packets
###IPNAT###
ipnat_enable="YES" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
#ipnat_flags="" # additional flags for ipnat
#ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat

likuku

# ipf command:
#ipf -Fa
#ipf -f PATH/ipf.conf
#ipfstat #show ipf working

pass in on lo0 all
pass out on lo0 all

pass in on rl0 all
pass out on rl0 all

pass in on rl1 all
pass out on rl1 all

#block in quick all with short
#block in quick all with ipopts

#block return-rst in rl0 proto tcp from any to any flags S/SA
#block return -icmp(net-unr) in on rl0 proto udp from any to any

likuku

map rl0 172.16.0.0/16 -> 192.168.0.222/24 portmap tcp/udp 10000:65000
map rl0 172.16.0.0/16 -> 192.168.0.222/24

likuku

忙了通宵，按照一个网友提示改了。
map rl0 172.16.0.0/16 -> 0/32 tcp/udp portmap 10000:65000
map rl0 172.16.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map rl0 172.16.0.0/16 -> 0/32

就一切OK!
172.16.0.1/16 -> 外ip/netmask ....是行不通的！
本来还以为是系统安装有误，或者是硬盘问题。。
大家要注意！！

本来的机器装win2ks,好像大家都会“用”，总拿来上网，聊天。。那就完蛋了！
系统一团糟！并且稳定性也不怎么样，每天都关机，要不就罢工。。或者越来越慢。。直到吊线！对硬盘伤害挺大，3年坏3硬盘！P41.8 512MRAM，只用来当网关。 朋友已经24小时吊线，实在没办法，win2ks老装不上，请我整一下，干脆建议装个BSD!

大熊宝宝

最初由 likuku 发表
忙了通宵，按照一个网友提示改了。
map rl0 172.16.0.0/16 -> 0/32 tcp/udp portmap 10000:65000
map rl0 172.16.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map rl0 172.16.0.0/16 -> 0/32

就一切OK!
172.16.0.1/16 -> 外ip/netmask ....是行不通的！
本来还以为是系统安装有误，或者是硬盘问题。。
大家要注意！！

本来的机器装win2ks,好像大家都会“用”，总拿来上网，聊天。。那就完蛋了！
系统一团糟！并且稳定性也不怎么样，每天都关机，要不就罢工。。或者越来越慢。。直到吊线！对硬盘伤害挺大，3年坏3硬盘！P41.8 512MRAM，只用来当网关。 朋友已经24小时吊线，实在没办法，win2ks老装不上，请我整一下，干脆建议装个BSD!

如果你是动态IP当然不行

尘飞扬

map rl0 172.16.0.0/16 -> 192.168.0.222/24 portmap tcp/udp 10000:65000
map rl0 172.16.0.0/16 -> 192.168.0.222/24

192.168.0.222/24 ？这个是什么地址？

likuku

不是啊！熊哥！我都是静态ip,但是就这么怪！

likuku

飞扬兄，这只是Unix管理员的习惯。。
192.168.0.0/255.255.255.0太麻烦！
掩码用数字太麻烦！直接用2进制的bits值就行了
255.255.255.0 = 8+8+8+0 =24
255用 计算器 转换成2进制后，所有的1的和值就是8

所以255.255.255.248 = 29 = 24+5
255.255.0.0=16
255.255.255.255=32
192.168.0.0是指192.168.0的网络。