The translation is temporarily closed for contributions due to maintenance, please come back later.


(itstool) path: sect2/screen
<prompt>#</prompt> <userinput>ipnat -l</userinput>
Context English Turkish (tr_TR) State
A common practice is to have a publically accessible web server or mail server segregated to an internal network segment. The traffic from these servers still has to undergo <acronym>NAT</acronym>, but port redirection is needed to direct inbound traffic to the correct server. For example, to map a web server using the internal address <systemitem class="ipaddress"></systemitem> to its public <acronym>IP</acronym> address of <systemitem class="ipaddress"></systemitem>, use this rule:
rdr dc0 port 80 -&gt; port 80
If it is the only web server, this rule would also work as it redirects all external <acronym>HTTP</acronym> requests to <literal></literal>:
rdr dc0 port 80 -&gt; port 80
<application>IPF</application> has a built in <acronym>FTP</acronym> proxy which can be used with <acronym>NAT</acronym>. It monitors all outbound traffic for active or passive <acronym>FTP</acronym> connection requests and dynamically creates temporary filter rules containing the port number used by the <acronym>FTP</acronym> data channel. This eliminates the need to open large ranges of high order ports for <acronym>FTP</acronym> connections.
In this example, the first rule calls the proxy for outbound <acronym>FTP</acronym> traffic from the internal <acronym>LAN</acronym>. The second rule passes the <acronym>FTP</acronym> traffic from the firewall to the Internet, and the third rule handles all non-<acronym>FTP</acronym> traffic from the internal <acronym>LAN</acronym>:
map dc0 -&gt; 0/32 proxy port 21 ftp/tcp
map dc0 -&gt; 0/32 proxy port 21 ftp/tcp
map dc0 -&gt; 0/32
The <acronym>FTP</acronym> <literal>map</literal> rules go before the <acronym>NAT</acronym> rule so that when a packet matches an <acronym>FTP</acronym> rule, the <acronym>FTP</acronym> proxy creates temporary filter rules to let the <acronym>FTP</acronym> session packets pass and undergo <acronym>NAT</acronym>. All LAN packets that are not <acronym>FTP</acronym> will not match the <acronym>FTP</acronym> rules but will undergo <acronym>NAT</acronym> if they match the third rule.
Without the <acronym>FTP</acronym> proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above <literal>1024</literal> need to be allowed:
# Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state

# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port &gt; 1024 flags S keep state

# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
Whenever the file containing the <acronym>NAT</acronym> rules is edited, run <command>ipnat</command> with <option>-CF</option> to delete the current <acronym>NAT</acronym> rules and flush the contents of the dynamic translation table. Include <option>-f</option> and specify the name of the <acronym>NAT</acronym> ruleset to load:
<prompt>#</prompt> <userinput>ipnat -CF -f /etc/ipnat.rules</userinput>
To display the <acronym>NAT</acronym> statistics:
<prompt>#</prompt> <userinput>ipnat -s</userinput>
To list the <acronym>NAT</acronym> table's current mappings:
<prompt>#</prompt> <userinput>ipnat -l</userinput>
To turn verbose mode on and display information relating to rule processing and active rules and table entries:
<prompt>#</prompt> <userinput>ipnat -v</userinput>
Viewing <application>IPF</application> Statistics
<primary><application>IPFILTER</application></primary> <secondary>statistics</secondary>
<application>IPF</application> includes <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using <command>ipf -Z</command>.
The default <command>ipfstat</command> output looks like this:
input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
Several options are available. When supplied with either <option>-i</option> for inbound or <option>-o</option> for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. To also see the rule numbers, include <option>-n</option>. For example, <command>ipfstat -on</command> displays the outbound rules table with rule numbers:
@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep state
Include <option>-h</option> to prefix each rule with a count of how many times the rule was matched. For example, <command>ipfstat -oh</command> displays the outbound internal rules table, prefixing each rule with its usage count:
2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state
To display the state table in a format similar to <citerefentry><refentrytitle>top</refentrytitle><manvolnum>1</manvolnum></citerefentry>, use <command>ipfstat -t</command>. When the firewall is under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give the ability to select the destination or source <acronym>IP</acronym>, port, or protocol to be monitored in real time. Refer to <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.
<application>IPF</application> Logging


No matching activity found.

Browse all component changes


English Turkish (tr_TR)
prompt komut istemi FreeBSD Doc (Archived)

Source information

Source string comment
(itstool) path: sect2/screen
Source string location
String age
9 months ago
Source string age
a year ago
Translation file
books/tr_TR/handbook.po, string 10396