Re: Linux Router
Captain's Log, stardate Mon, 13 Dec 2004 19:26:40 -0500, from the fingers of Bruce Park came the words:
> Ken Gilmour wrote:
<snip>
>> The only problem i have with Linux's iptables as opposed to
>> OpenBSD's PF is that iptables has an overwhelming amount of stuff
>> it can do and you can easily break it. But it is, however, much
>> more configurable. You can set them to just allow everything
>> through and use NAT and IP Forwarding in the process.
>>
>
> Ken,
>
> Can you explain this in further detail? I've used iptables on Woody
> for almost two years without any problems. Thanks.
The main point is that there are so many things to do in Linux in order to configure it for masquerading (Recompiling Kernel etc). There also so many different commands that do exactly the same thing but in different ways. If a person is starting off in firewalling it's not good to overwhelm them with information. With OpenBSD, you simply edit stuff that's already there, for example. These are the steps i would take to setup a gateway on a brand newly setup OpenBSD machine:
Uncomment the following in /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1 (if using IPv6)
Uncomment and edit this line in /etc/pf.conf (stuff in <> needs to be edited, stuff in [] is optional)
nat [pass] on <interface> [af] from <src_addr> [port src_port] to <dst_addr> [port <dst_port>] -> <ext_addr> [pool_type] [static-port]
You may then reboot the machine or just issue the following two commands:
# sysctl net.inet.ip.forwarding=1
Or
# sysctl net.inet6.ip6.forwarding=1 (if using IPv6)
Then
# pfctl -f /etc/pf.conf
You now have a fully working NAT box.
To perform IP forwarding uncomment the port redirect line in pf.conf and modify it to your taste then issue:
# pfctl -f /etc/pf.conf
The default configuration for the machine has zero known security holes. (have a look at www.openbsd.org for security info)
Regards,
Ken
Reply to: