Differences

This shows you the differences between two versions of the page.

--- computers:truenas:gateway [03-Nov-2021 10:47] – Steve Joynt
+++ computers:truenas:gateway [02-Feb-2025 16:14] (current) – external edit 127.0.0.1
@@ Line 65: / Line 65: @@
 </code>
-====== Configure the Firewall ======
-This is just a basic configuration, allowing all devices on the network to communicate with each other. You may want to add some extra rules of your own.
+====== Configure NAT ======
 <code>
-jexec "ioc-${JAIL_NAME:?}" \
+jexec "ioc-${JAIL_NAME:?}" mkdir -p "${NAT_CONF%/*}"
-  mkdir -p "${FIREWALL_CONF%/*}"
-jexec "ioc-${JAIL_NAME:?}" /bin/sh -c \
+jexec "ioc-${JAIL_NAME:?}" /bin/sh -c "cat >| ${NAT_CONF:?}" <<END
-"cat >| ${FIREWALL_CONF:?}" \
-<<END
-# be quiet and flush all rules on start
+use_sockets yes
--q flush
+same_ports yes
-# allow local traffic, deny RFC 1918 addresses on the outside
+END
-add 00100 allow ip from any to any via lo0
-add 00110 deny ip from any to 127.0.0.0/8
-add 00120 deny ip from any to any not verrevpath in
-add 00301 deny ip from 10.0.0.0/8 to any in via ${PUBLIC_INTERFACE:?}
-add 00302 deny ip from 172.16.0.0/12 to any in via ${PUBLIC_INTERFACE:?}
-add 00303 deny ip from 192.168.0.0/16 to any in via ${PUBLIC_INTERFACE:?}
-# check if incoming packets belong to a natted session, allow through if yes
+# public gateway interface needs nat
-add 01000 divert natd ip from any to me in via ${PUBLIC_INTERFACE:?}
+jexec "ioc-${JAIL_NAME:?}" sysrc natd_interface="${PUBLIC_INTERFACE:?}"
-add 01001 check-state
-# allow some traffic from the local net to the router
+# extra settings for nat are in the file we defined above
-# SSH
+jexec "ioc-${JAIL_NAME:?}" sysrc natd_flags="-f ${NAT_CONF:?}"
-add 04000 allow tcp from ${LAN_NETWORK:?} to me dst-port 22 in via ${LAN_INTERFACE:?} setup keep-state
-# ICMP
-add 04001 allow icmp from ${LAN_NETWORK:?} to me in via ${LAN_INTERFACE:?}
-# NTP
-add 04002 allow tcp from ${LAN_NETWORK:?} to me dst-port 123 in via ${LAN_INTERFACE:?} setup keep-state
-add 04003 allow udp from ${LAN_NETWORK:?} to me dst-port 123 in via ${LAN_INTERFACE:?} keep-state
-# DNS
-add 04006 allow udp from ${LAN_NETWORK:?} to me dst-port 53 in via ${LAN_INTERFACE:?}
-# DHCP
-add 04007 allow udp from any to any dst-port 67 in via ${LAN_INTERFACE:?}
-# drop everything else
+</code>
-add 04009 deny ip from ${LAN_NETWORK:?} to me
-# pass outgoing packets (to be natted) on to a special NAT rule
+====== Configure a Simple Firewall ======
-add 04109 skipto 61000 ip from ${LAN_NETWORK:?} to any in via ${LAN_INTERFACE:?} keep-state
-# allow all outgoing traffic from the router (maybe you should be more restrictive)
+> IMPORTANT!
-add 05010 allow ip from me to any out keep-state
+> This firewall does not filter any traffic. It allows anything to talk to anything.
+> At this stage I just want to trigger NAT as appropriate to allow hosts on different networks to communicate.
-# Drop everything that has come so far.
+> The "real" firewall is provided by my Internet router (which blocks all incoming requests), not this configuration.
-# This means it doesn't belong to an established connection.
+> If your TrueNAS box connects directly to the Internet, DO NOT USE THIS EXAMPLE !!!
-# Don't log the most noisy scans.
-add 59998 deny icmp from any to me
-add 59999 deny ip from any to me dst-port 135,137-139,445,4665
-add 60000 deny log tcp from any to any established
-add 60000 deny log ip from any to any
-# this is the NAT rule. Only outgoing packets from the local net will come here.
-# First, nat them, then pass them on (again, you may choose to be more restrictive)
-add 61000 divert natd ip from ${LAN_NETWORK:?} to any out via ${PUBLIC_INTERFACE:?}
-add 61001 allow ip from any to any
-END
-</code>
-====== Configure NAT ======
 <code>
-jexec "ioc-${JAIL_NAME:?}" \
+# use the standard firewall template called "open"
-  mkdir -p "${NAT_CONF%/*}"
+jexec "ioc-${JAIL_NAME:?}" sysrc firewall_script="/etc/rc.firewall"
+jexec "ioc-${JAIL_NAME:?}" sysrc firewall_type="open"
-jexec "ioc-${JAIL_NAME:?}" /bin/sh -c \
+# log more while testing, or be quiet in normal operation?
-"cat >| ${NAT_CONF:?}" \
+jexec "ioc-${JAIL_NAME:?}" sysrc firewall_quiet="YES"
-<<END
-unregistered_only
-interface ${PUBLIC_INTERFACE:?}
-use_sockets
-dynamic
-# dyamically open fw for ftp, irc
-# punch_fw 2000:50
-END
 </code>
@@ Line 159: / Line 111: @@
 # enable IP forwarding
-jexec "ioc-${JAIL_NAME:?}" \
+jexec "ioc-${JAIL_NAME:?}" sysrc gateway_enable="YES"
-  sysrc gateway_enable="YES"
-# enable firewall
-jexec "ioc-${JAIL_NAME:?}" \
-  sysrc firewall_enable="YES"
-# name of firewall config
+# enable the firewall service (aka ipfw)
-jexec "ioc-${JAIL_NAME:?}" \
+jexec "ioc-${JAIL_NAME:?}" sysrc firewall_enable="YES"
-  sysrc firewall_type="${FIREWALL_CONF:?}"
-# log more while testing, or be quiet in normal operation?
-jexec "ioc-${JAIL_NAME:?}" \
-  sysrc firewall_quiet="YES"
 # enable the NAT service
-jexec "ioc-${JAIL_NAME:?}" \
+jexec "ioc-${JAIL_NAME:?}" sysrc natd_enable="YES"
-  sysrc natd_enable="YES"
-# public gateway needs nat
-jexec "ioc-${JAIL_NAME:?}" \
-  sysrc natd_interface="${PUBLIC_INTERFACE:?}"
-# extra settings for nat
-jexec "ioc-${JAIL_NAME:?}" \
-  sysrc natd_flags="-f ${NAT_CONF:?}"
 # start the firewall & natd
-jexec "ioc-${JAIL_NAME:?}" \
+jexec "ioc-${JAIL_NAME:?}" service ipfw start
-  service ipfw start
 </code>
+====== Firewall and Debugging Logs ======
+If you've turned on any logging for the ipfw service or natd, the output can be seen on the TrueNAS server OUTSIDE THE JAIL in this file...
+<code>/var/log/security</code>
 ====== Credits ======
@@ Line 200: / Line 137: @@
   * [[https://www.freebsd.org/cgi/man.cgi?natd]]
   * [[https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-ipfw-firewall-on-freebsd/]]
+  * [[https://www.asksaro.com/freebsd/setting-up-a-network-gateway-using-ipfw-and-natd/]]