Translation

(itstool) path: sect3/programlisting
ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.168.0.3:80 80
140/1400
Context English Chinese (Simplified) (zh_CN) State
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
The inbound rules remain the same, except for the very last rule which removes the <literal>via $pif</literal> in order to catch both inbound and outbound rules. The <acronym>NAT</acronym> rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the <literal>skipto</literal> action. In this ruleset, rule number <literal>1000</literal> handles passing all packets to our configured instance for <acronym>NAT</acronym> processing. The next rule allows any packet which has undergone <acronym>NAT</acronym> processing to pass. 入站规则保持不变,除了最后一条规则,它去掉了<literal>via $pif</literal>,以便同时抓住入站和出站规则。<acronym>NAT</acronym>规则必须跟在这最后一条出站规则之后,必须有一个比最后一条规则更高的编号,而且规则编号必须由<literal>skipto</literal>操作引用。在这个规则集中,规则号<literal>1000</literal>将所有数据包传给我们配置的<acronym>NAT</acronym>实例进行处理。下一条规则允许任何经过<acronym>NAT</acronym>处理的数据包通过。
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
In this example, rules <literal>100</literal>, <literal>101</literal>, <literal>125</literal>, <literal>1000</literal>, and <literal>1001</literal> control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private <acronym>LAN</acronym> <acronym>IP</acronym> address. 本例中,规则<literal>100</literal>、<literal>101</literal>、<literal>125</literal>、<literal>1000</literal>、和<literal>1001</literal>控制出站包和入站包的地址转换,这样动态状态表中的条目总是注册私有的<acronym>LAN</acronym> <acronym>IP</acronym>地址。
Consider an internal web browser which initializes a new outbound <acronym>HTTP</acronym> session over port 80. When the first outbound packet enters the firewall, it does not match rule <literal>100</literal> because it is headed out rather than in. It passes rule <literal>101</literal> because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule <literal>125</literal> as it is outbound on an allowed port and has a source <acronym>IP</acronym> address from the internal <acronym>LAN</acronym>. On matching this rule, two actions take place. First, the <literal>keep-state</literal> action adds an entry to the dynamic state table and the specified action, <literal>skipto rule 1000</literal>, is executed. Next, the packet undergoes <acronym>NAT</acronym> and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule <literal>100</literal> and has its destination <acronym>IP</acronym> address mapped back to the original internal address. It then is processed by the <literal>check-state</literal> rule, is found in the table as an existing session, and is released to the <acronym>LAN</acronym>. 考虑一个内部web浏览器,它通过端口80初始化一个新的出站<acronym>HTTP</acronym>会话。当第一个出站数据包进入防火墙时,它与规则<literal>100</literal>不匹配,因为它是向外而不是向内的。它通过了规则<literal>101</literal>,因为这是第一个数据包,它还没有被发送到动态状态表。数据包最终与规则<literal>125</literal>匹配,因为它是在允许的端口上出站的,并且具有来自内部<acronym>LAN</acronym>的源<acronym>IP</acronym>地址。匹配此规则时,将执行两个操作。首先,<literal>keep-state</literal>操作向动态状态表添加一个条目,然后执行指定的操作<literal>skipto rule 1000</literal>。接下来,包经过<acronym>NAT</acronym>并发送到 Internet。此数据包将被发送到目标 web 服务器,在那里生成并发送响应数据包。这个新包进入规则集的顶部。它匹配规则<literal>100</literal>,并将其目标<acronym>IP</acronym>地址映射回原始内部地址。然后由检查状态规则处理,在表中被发现为现有会话,并被释放到<acronym>LAN</acronym>。
On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the <acronym>LAN</acronym>. The packet generated as a response is recognized by the <literal>check-state</literal> rule as belonging to an existing session. It is then sent to rule <literal>1000</literal> to undergo <acronym>NAT</acronym> before being released to the outbound interface. 在入站端,规则集必须拒绝错误数据包,并且仅允许已授权的服务通过。与入站规则匹配的数据包将发布到动态状态表,数据包被释放到<acronym>LAN</acronym>。作为响应生成的数据包被<literal>check-state</literal>规则识别为属于现有会话。然后,它发送到规则<literal>1000</literal>以进行<acronym>NAT</acronym>,然后再释放到出站接口。
Transitioning from userland <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to in-kernel <acronym>NAT</acronym> might seem seamless at first but there is small catch. When using the GENERIC kernel, <application>IPFW</application> will load the <filename>libalias.ko</filename> kernel module, when <literal>firewall_nat_enable</literal> is enabled in <filename>rc.conf</filename>. The <filename>libalias.ko</filename> kernel module only provides basic <acronym>NAT</acronym> functionality, whereas the userland implementation <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> has all <acronym>NAT</acronym> functionality available in its userland library without any extra configuration. All functionality refers to the following kernel modules that can additionally be loaded when needed besides the standard <filename>libalias.ko</filename> kernel module: <filename>alias_cuseeme.ko</filename>, <filename>alias_ftp.ko</filename>, <filename>alias_bbt.ko</filename>, <filename>skinny.ko</filename>, <filename>irc.ko</filename>, <filename>alias_pptp.ko</filename> and <filename>alias_smedia.ko</filename> using the <literal>kld_list</literal> directive in <filename>rc.conf</filename>. If a custom kernel is used, the full functionality of the userland library can be compiled in, in the kernel, using the <option>options LIBALIAS</option>. 从用户态<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>到 in-kernel <acronym>NAT</acronym>的过渡最初可能看起来是无缝的,不过这是小问题。使用 GENERIC 内核时,<application>IPFW</application>将加载<filename>libalias.ko</filename>内核模块,当<filename>rc.conf</filename>中的<literal>firewall_nat_enable</literal>启用时。<filename>libalias.ko</filename>模块只提供基本的<acronym>NAT</acronym>功能,而 userland 实现<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>具有所有可用的功能,而无需从其用户库进行任何额外的配置。所有功能都是指在标准<filename>libalias.ko</filename>内核模块之外,在需要时可以额外加载的以下内核模块:<filename>alias_cuseeme.ko</filename>,<filename>alias_ftp.ko</filename>,<filename>alias_bbt.ko</filename>,<filename>skinny.ko</filename>,<filename>irc.ko</filename>,<filename>alias_pptp.ko</filename>,<filename>alias_smedia.ko</filename>使用<filename>rc.conf</filename>中的 <literal>kld_list</literal>。如果使用自定义内核,则可以使用<option>option LIBALIAS</option>。
Port Redirection 端口重定向
The drawback with <acronym>NAT</acronym> in general is that the <acronym>LAN</acronym> clients are not accessible from the Internet. Clients on the <acronym>LAN</acronym> can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the <acronym>LAN</acronym> client machines. A simple way around this is to redirect selected Internet ports on the <acronym>NAT</acronym> providing machine to a <acronym>LAN</acronym> client. <acronym>NAT</acronym>有个缺点:无法从 Internet 访问<acronym>LAN</acronym>客户端。<acronym>LAN</acronym>可以向 Internet 发出连接,但不能接收传入连接。如果尝试在其中一台<acronym>LAN</acronym>客户端计算机上运行 Internet 服务,则这会带来问题。解决方法是将 NAT 上的端口重定向到 LAN 中的计算机上。
For example, an <acronym>IRC</acronym> server runs on client <systemitem>A</systemitem> and a web server runs on client <systemitem>B</systemitem>. For this to work properly, connections received on ports 6667 (<acronym>IRC</acronym>) and 80 (<acronym>HTTP</acronym>) must be redirected to the respective machines. 例如例如:在客户端 <systemitem>A</systemitem> 上运行 IRC 服务,而在客户端 <systemitem>B</systemitem> 上运行 web 服务。 想要正确的工作,在端口 6667 (IRC) 和 80 (web) 上接收到的连接就必须重定向到相应的机子上。
With in-kernel <acronym>NAT</acronym> all configuration is done in the <acronym>NAT</acronym> instance configuration. For a full list of options that an in-kernel <acronym>NAT</acronym> instance can use, consult <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The <application>IPFW</application> syntax follows the syntax of <application>natd</application>. The syntax for <option>redirect_port</option> is as follows: 使用 in-kernel <acronym>NAT</acronym>,所有配置都在<acronym>NAT</acronym>实例配置中完成。有关内核内<acronym>NAT</acronym>实例可以使用的选项的完整列表,请参阅<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。<application>IPFW</application>语法遵循<application>natd</application>的语法。<option>redirect_port</option>的语法如下所示:
redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]
redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]
To configure the above example setup, the arguments should be: 要配置上述示例设置,参数应为:
redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80
redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80
After adding these arguments to the configuration of <acronym>NAT</acronym> instance 1 in the above ruleset, the <acronym>TCP</acronym> ports will be port forwarded to the <acronym>LAN</acronym> client machines running the <acronym>IRC</acronym> and <acronym>HTTP</acronym> services. 在上述规则集中将这些参数添加到<acronym>NAT</acronym>实例 1 的配置后,<acronym>TCP</acronym>端口将端口转发到运行<acronym>IRC</acronym>和<acronym>HTTP</acronym>服务的<acronym>LAN</acronym>客户端计算机。
ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.168.0.3:80 80
ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.168.0.3:80 80
Port ranges over individual ports can be indicated with <option>redirect_port</option>. For example, <replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable> would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client <systemitem>A</systemitem>. <option>-redirect_port</option> 参数可以用来指出端口范围来代替单个端口。例如, <replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable> 就会把所有在端口 2000 到 3000 上接收到的连接重定向到主机 <systemitem>A</systemitem> 上的端口 2000 到 3000。
Address Redirection 地址重定向
Address redirection is useful if more than one <acronym>IP</acronym> address is available. Each <acronym>LAN</acronym> client can be assigned its own external <acronym>IP</acronym> address by <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>, which will then rewrite outgoing packets from the <acronym>LAN</acronym> clients with the proper external <acronym>IP</acronym> address and redirects all traffic incoming on that particular <acronym>IP</acronym> address back to the specific <acronym>LAN</acronym> client. This is also known as static <acronym>NAT</acronym>. For example, if <acronym>IP</acronym> addresses <systemitem class="ipaddress">128.1.1.1</systemitem>, <systemitem class="ipaddress">128.1.1.2</systemitem>, and <systemitem class="ipaddress">128.1.1.3</systemitem> are available, <systemitem class="ipaddress">128.1.1.1</systemitem> can be used as the <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> machine's external <acronym>IP</acronym> address, while <systemitem class="ipaddress">128.1.1.2</systemitem> and <systemitem class="ipaddress">128.1.1.3</systemitem> are forwarded back to <acronym>LAN</acronym> clients <systemitem>A</systemitem> and <systemitem>B</systemitem>. 如果有多个可用<acronym>IP</acronym>地址,则地址重定向非常有用。每个<acronym>LAN</acronym>客户端可以通过<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>为其自己分配外部<acronym>IP</acronym>地址,然后它将用适当的外部<acronym>IP</acronym>地址重写来自<acronym>LAN</acronym>客户端的传出数据包,并将该特定<acronym>IP</acronym>地址上传入的所有流量重定向回特定的<acronym>LAN</acronym>客户端。这也称为静态<acronym>NAT</acronym>。例如,如果<acronym>IP</acronym>地址<systemitem class="ipaddress">128.1.1.1</systemitem>,<systemitem class="ipaddress">128.1.1.2</systemitem>和<systemitem class="ipaddress">128.1.1.3</systemitem>可用,则<systemitem class="ipaddress">128.1.1.1</systemitem>可用作<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>计算机的外部<acronym>IP</acronym>地址,而<systemitem class="ipaddress">128.1.1.2</systemitem>和<systemitem class="ipaddress">128.1.1.3</systemitem>可分配给<systemitem>A</systemitem> 和 <systemitem>B</systemitem>。
The <option>redirect_address</option> syntax is as below, where <literal>localIP</literal> is the internal <acronym>IP</acronym> address of the <acronym>LAN</acronym> client, and <literal>publicIP</literal> the external <acronym>IP</acronym> address corresponding to the <acronym>LAN</acronym> client. <option>redirect_address</option>语法如下所示。<literal>localIP</literal>是<acronym>LAN</acronym>客户端的内部<acronym>IP</acronym>地址。<literal>publicIP</literal>是<acronym>LAN</acronym>客户端对应的外部<acronym>IP</acronym>地址。
redirect_address localIP publicIP redirect_address localIP publicIP
In the example, the arguments would read: 在此示例中,参数效果等同于:
redirect_address 192.168.0.2 128.1.1.2
redirect_address 192.168.0.3 128.1.1.3
redirect_address 192.168.0.2 128.1.1.2
redirect_address 192.168.0.3 128.1.1.3
Like <option>redirect_port</option>, these arguments are placed in a <acronym>NAT</acronym> instance configuration. With address redirection, there is no need for port redirection, as all data received on a particular <acronym>IP</acronym> address is redirected. 象 <option>-redirect_port</option> 一样,这些参数也是放在 <acronym>NAT</acronym>实例的配置文件里。使用地址重定向, 就没有必要用端口重定向了,因为所有在某个 IP 地址上收到的数据都被重定向了。
The external <acronym>IP</acronym> addresses on the <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> machine must be active and aliased to the external interface. Refer to <citerefentry><refentrytitle>rc.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details. <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>机器上的外部<acronym>IP</acronym>地址必须处于活动状态,并且与外部接口进行别名化(aliased )。详情请参阅<citerefentry><refentrytitle>rc.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>。
Userspace <acronym>NAT</acronym> Userspace <acronym>NAT</acronym>
Let us start with a statement: the userspace <acronym>NAT</acronym> implementation: <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, has more overhead than in-kernel <acronym>NAT</acronym>. For <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to translate packets, the packets have to be copied from the kernel to userspace and back which brings in extra overhead that is not present with in-kernel <acronym>NAT</acronym>. 让我们从一个语句开始:用户态<acronym>NAT</acronym>实现:<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,比内核态<acronym>NAT</acronym>产生更多开销。对于<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>要转换数据包,数据包必须从内核复制到用户空间,并返回,这带来了额外的开销,而内核态<acronym>NAT</acronym>不存在。
To enable the userpace <acronym>NAT</acronym> daemon <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> at boot time, the following is a minimum configuration in <filename>/etc/rc.conf</filename>. Where <option>natd_interface</option> is set to the name of the <acronym>NIC</acronym> attached to the Internet. The <citerefentry><refentrytitle>rc</refentrytitle><manvolnum>8</manvolnum></citerefentry> script of <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will automatically check if a dynamic <acronym>IP</acronym> address is used and configure itself to handle that. 为了在启动时启用<acronym>NAT</acronym>守护进程<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,以下是<filename>/etc/rc.conf</filename>中的最小配置。<option>natd_interface</option>设置为连接到 Internet 的<acronym>NIC</acronym>的名称。<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>的<citerefentry><refentrytitle>rc</refentrytitle><manvolnum>8</manvolnum></citerefentry>脚本将自动检查是否使用了动态<acronym>IP</acronym>地址,并配自动处理该地址。
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
In general, the above ruleset as explained for in-kernel <acronym>NAT</acronym> can also be used together with <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The exceptions are the configuration of the in-kernel <acronym>NAT</acronym> instance <literal>(ipfw -q nat 1 config ...)</literal> which is not needed together with reassemble rule 99 because its functionality is included in the <option>divert</option> action. Rule number 100 and 1000 will have to change sligthly as shown below. 一般情况下,上述适用于内核态<acronym>NAT</acronym>的规则集也可以和<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>一起使用。例外的是内核态<acronym>NAT</acronym>实例的配置<literal>(ipfw -q nat 1 config ...)</literal>,因为它的功能包含在<option>divert</option>动作中,所以不需要和重装规则99一起使用。如下图所示,规则100和1000需要修改。
$cmd 100 divert natd ip from any to any in via $pif
$cmd 1000 divert natd ip from any to any out via $pif
$cmd 100 divert natd ip from any to any in via $pif
$cmd 1000 divert natd ip from any to any out via $pif

Loading…

ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.168.0.3:80 80
ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.1683.0.3:80 80
3 months ago
Browse all component changes

Things to check

Unchanged translation

Source and translation are identical

Reset

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect3/programlisting
Flags
no-wrap
Source string location
book.translate.xml:60334
String age
8 months ago
Source string age
8 months ago
Translation file
books/zh_CN/handbook.po, string 9894