Translation

(itstool) path: sect2/para

With in-kernel <acronym>NAT</acronym> it is necessary to disable TCP segmentation offloading (<acronym>TSO</acronym>) due to the architecture of <citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>, a library implemented as a kernel module to provide the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. <acronym>TSO</acronym> can be disabled on a per network interface basis using <citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> or on a system wide basis using <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. To disable <acronym>TSO</acronym> system wide, the following must be set it <filename>/etc/sysctl.conf</filename>:
535/7820
Context English Chinese (Simplified) (zh_CN) State
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding. 下一组规则控制 Internet 到内部网络的连接。它首先拒绝可能发起攻击的数据包,然后显式允许特定类型的连接。源自 Internet 的所有授权服务都使用<literal>limit</literal>来防止洪水攻击。
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
The last rule logs all packets that do not match any of the rules in the ruleset: 最后一条规则拒绝所有不符合规则的流量:
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
In-kernel <acronym>NAT</acronym> In-kernel <acronym>NAT</acronym>
<personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib> <personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib>
<primary>NAT</primary> <secondary>and <application>IPFW</application></secondary> <primary>NAT</primary> <secondary>和<application>IPFW</application></secondary>
FreeBSD's <application>IPFW</application> firewall has two implementations of <acronym>NAT</acronym>: the userland implementation <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, and the more recent in-kernel <acronym>NAT</acronym> implementation. Both work in conjunction with <application>IPFW</application> to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public <acronym>IP</acronym> address. FreeBSD 的<application>IPFW</application>防火墙有两个<acronym>NAT</acronym>实现:一个是用户态<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>实现,另一个是最新的内核内<acronym>NAT</acronym>实现。两者都可与<application>IPFW</application>配合使用,提供网络地址转换。这可用于提供 Internet 连接共享解决方案,以便多个内部计算机可以使用单个公网<acronym>IP</acronym>地址连接到 Internet。
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>. 为此,连接到 Internet 的 FreeBSD 计算机必须充当网关。此系统必须具有两个<acronym>NIC(网口)</acronym>,其中一个连接到互联网,另一个连接到内部<acronym>LAN(本地网络)</acronym>。在LAN后面的每一台机子和接口应该被分配私有地址空间(由<link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>定义)里的 IP 地址。
Some additional configuration is needed in order to enable the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. To enable in-kernel <acronym>NAT</acronym> support at boot time, the following must be set in <filename>/etc/rc.conf</filename>: 为了启用<application>IPFW</application>的 in-kernel<acronym>NAT</acronym>功能,需要进行一些额外的配置。要在启动时启用内核内<acronym>NAT</acronym>支持,必须在<filename>/etc/rc.conf</filename>中设置以下内容:
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
When <literal>firewall_nat_enable</literal> is set but <literal>firewall_enable</literal> is not, it will have no effect and do nothing. This is because the in-kernel <acronym>NAT</acronym> implementation is only compatible with <application>IPFW</application>. 当<literal>firewall_nat_enable</literal>已设置,但<literal>firewall_enable</literal>未设置时,它将没有效果,不执行任何操作,因为 in-kernel<acronym>NAT</acronym>实现仅与<application>IPFW</application>兼容。
When the ruleset contains stateful rules, the positioning of the <acronym>NAT</acronym> rule is critical and the <literal>skipto</literal> action is used. The <literal>skipto</literal> action requires a rule number so that it knows which rule to jump to. The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel <acronym>NAT</acronym>. It starts by adding some additional variables which represent the rule number to skip to, the <literal>keep-state</literal> option, and a list of <acronym>TCP</acronym> ports which will be used to reduce the number of rules. 当规则集包含有状态的规则时,<acronym>NAT</acronym>规则的定位非常关键,并使用<literal>skipto</literal>动作。<literal>skipto</literal>动作需要一个规则编号,以便知道要跳转到哪个规则。下面的示例基于上一节中所示的防火墙规则集。它添加了一些条目并修改了一些现有规则,以便为 in-kernel <acronym>NAT</acronym>配置防火墙。它首先添加一些表示要跳到的规则编号、<literal>keep-state</literal> 选项和用于减少规则数的<acronym>TCP</acronym>端口列表。
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
With in-kernel <acronym>NAT</acronym> it is necessary to disable TCP segmentation offloading (<acronym>TSO</acronym>) due to the architecture of <citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>, a library implemented as a kernel module to provide the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. <acronym>TSO</acronym> can be disabled on a per network interface basis using <citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> or on a system wide basis using <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. To disable <acronym>TSO</acronym> system wide, the following must be set it <filename>/etc/sysctl.conf</filename>: 由于<citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>的体系结构,作为用于<application>IPFW</application>的 in-kernel <acronym>NAT</acronym>工具的内核模块实现的库,有必要禁用 TCP 分段卸载,(<acronym>TSO</acronym>)。使用<citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>为某个网口禁用 TSO 或使用<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> 为系统内的所有网卡禁用 <acronym>TSO</acronym>。要在系统范围禁用<acronym>TSO</acronym>,必须在<filename>/etc/sysctl.conf</filename>中设置以下内容:
net.inet.tcp.tso="0" net.inet.tcp.tso="0"
A <acronym>NAT</acronym> instance will also be configured. It is possible to have multiple <acronym>NAT</acronym> instances each with their own configuration. For this example only one <acronym>NAT</acronym> instance is needed, <acronym>NAT</acronym> instance number 1. The configuration can take a few options such as: <option>if</option> which indicates the public interface, <option>same_ports</option> which takes care that alliased ports and local port numbers are mapped the same, <option>unreg_only</option> will result in only unregistered (private) address spaces to be processed by the <acronym>NAT</acronym> instance, and <option>reset</option> which will help to keep a functioning <acronym>NAT</acronym> instance even when the public <acronym>IP</acronym> address of the <application>IPFW</application> machine changes. For all possible options that can be passed to a single <acronym>NAT</acronym> instance configuration consult <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. When configuring a stateful <acronym>NAT</acronym>ing firewall, it is neseccary to allow translated packets to be reinjected in the firewall for further processing. This can be achieved by disabling <option>one_pass</option> behavior at the start of the firewall script. 还将配置<acronym>NAT</acronym>实例。可以有多个<acronym>NAT</acronym>实例,每个实例都有自己的配置。但是,对于此示例,只需要一个 NAT 实例。对于此示例,只需要一个<acronym>NAT</acronym>实例。<acronym>NAT</acronym>实例编号为 1。配置需要一些参数和标志,例如:<option>if</option>表示公共接口,<option>same_ports</option>注意所有端口和本地端口号映射相同,<option>unreg_only</option>将导致仅由<acronym>NAT</acronym>实例处理未注册的(私有)地址空间,以及 <option>reset</option>,这将有助于保持一个正常运行的<acronym>NAT</acronym>实例,即使<application>IPFW</application>计算机的公共<acronym>IP</acronym>地址发生更改。对于可以传递到单个<acronym>NAT</acronym>实例配置的所有可能选项,请参阅<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。当配置有状态<acronym>NAT</acronym>防火墙时,有必要允许将转换后的数据包重新注入防火墙以进行进一步处理,这可以通过在防火墙脚本开头前添加 <option>one_pass</option>禁用标志来实现。
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
The inbound <acronym>NAT</acronym> rule is inserted <emphasis>after</emphasis> the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but <emphasis>before</emphasis> the <literal>check-state</literal> rule. It is important that the rule number selected for this <acronym>NAT</acronym> rule, in this example <literal>100</literal>, is higher than the first three rules and lower than the <literal>check-state</literal> rule. Furthermore, because of the behavior of in-kernel <acronym>NAT</acronym> it is advised to place a reassemble rule just before the first <acronym>NAT</acronym> rule and after the rules that allow traffic on trusted interface. Normally, <acronym>IP</acronym> fragmentation should not happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel <acronym>NAT</acronym> facility. <acronym>NAT</acronym>入站规则插入在两个规则<emphasis>之后</emphasis>,这两个规则允许受信任和环回接口上的所有流量,在重新命名规则之后,但在<literal>检查状态</literal>规则<emphasis>之前</emphasis>。在本示例中为此<acronym>NAT</acronym>规则选择的规则编号(在此示例中为<literal>100)</literal>高于前三个规则,并且低于<literal>检查状态</literal>规则,这一点很重要。此外,由于内核内<acronym>NAT</acronym>的行为,建议在第一个<acronym>NAT</acronym>规则之前和允许在受信任接口上进行流量的规则之后放置一个可重新传输规则。通常<acronym>,IP</acronym>碎片不应发生,但在处理<acronym>IPSEC/ESP/GRE</acronym>隧道流量时,在将完整数据包移交给内核内<acronym>NAT</acronym>组件之前,可能需要重新组织片段。
The reassemble rule was not needed with userland <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> because the internal workings of the <application>IPFW</application> <literal>divert</literal> action already takes care of reassembling packets before delivery to the socket as also stated in <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 用户态 <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 不需要重组规则,因为<application>IPFW</application> <literal>divert</literal>已经自动处理了这一点,如<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>中所述。
The <acronym>NAT</acronym> instance and rule number used in this example does not match with the default <acronym>NAT</acronym> instance and rule number created by <filename>rc.firewall</filename>. <filename>rc.firewall</filename> is a script that sets up the default firewall rules present in FreeBSD. 本例中使用的 <acronym>NAT</acronym> 实例和规则号与 <filename>rc.firewall</filename> 创建的默认 <acronym>NAT</acronym> 实例和规则号不匹配。<filename>rc.firewall</filename> 是 FreeBSD 的默认防火墙规则集。
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
The outbound rules are modified to replace the <literal>allow</literal> action with the <literal>$skip</literal> variable, indicating that rule processing will continue at rule <literal>1000</literal>. The seven <literal>tcp</literal> rules have been replaced by rule <literal>125</literal> as the <literal>$good_tcpo</literal> variable contains the seven allowed outbound ports. 修改出站规则,将<literal>allow</literal>替换为<literal>$skip</literal>,指示规则处理将在<literal>1000</literal>规则中继续进行。七个<literal>tcp</literal>规则已被<literal>125</literal>规则替换,因为<literal>$good_tcpo</literal>变量包含七个允许的出站端口。
Remember that <application>IPFW</application>'s performance is largely determined by the number of rules present in the ruleset. 请记住,<application>IPFW</application>的性能很大程度上取决于规则集中的规则数。
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
The inbound rules remain the same, except for the very last rule which removes the <literal>via $pif</literal> in order to catch both inbound and outbound rules. The <acronym>NAT</acronym> rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the <literal>skipto</literal> action. In this ruleset, rule number <literal>1000</literal> handles passing all packets to our configured instance for <acronym>NAT</acronym> processing. The next rule allows any packet which has undergone <acronym>NAT</acronym> processing to pass. 入站规则保持不变,除了最后一条规则,它去掉了<literal>via $pif</literal>,以便同时抓住入站和出站规则。<acronym>NAT</acronym>规则必须跟在这最后一条出站规则之后,必须有一个比最后一条规则更高的编号,而且规则编号必须由<literal>skipto</literal>操作引用。在这个规则集中,规则号<literal>1000</literal>将所有数据包传给我们配置的<acronym>NAT</acronym>实例进行处理。下一条规则允许任何经过<acronym>NAT</acronym>处理的数据包通过。
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
In this example, rules <literal>100</literal>, <literal>101</literal>, <literal>125</literal>, <literal>1000</literal>, and <literal>1001</literal> control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private <acronym>LAN</acronym> <acronym>IP</acronym> address. 本例中,规则<literal>100</literal>、<literal>101</literal>、<literal>125</literal>、<literal>1000</literal>、和<literal>1001</literal>控制出站包和入站包的地址转换,这样动态状态表中的条目总是注册私有的<acronym>LAN</acronym> <acronym>IP</acronym>地址。
Consider an internal web browser which initializes a new outbound <acronym>HTTP</acronym> session over port 80. When the first outbound packet enters the firewall, it does not match rule <literal>100</literal> because it is headed out rather than in. It passes rule <literal>101</literal> because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule <literal>125</literal> as it is outbound on an allowed port and has a source <acronym>IP</acronym> address from the internal <acronym>LAN</acronym>. On matching this rule, two actions take place. First, the <literal>keep-state</literal> action adds an entry to the dynamic state table and the specified action, <literal>skipto rule 1000</literal>, is executed. Next, the packet undergoes <acronym>NAT</acronym> and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule <literal>100</literal> and has its destination <acronym>IP</acronym> address mapped back to the original internal address. It then is processed by the <literal>check-state</literal> rule, is found in the table as an existing session, and is released to the <acronym>LAN</acronym>. 考虑一个内部web浏览器,它通过端口80初始化一个新的出站<acronym>HTTP</acronym>会话。当第一个出站数据包进入防火墙时,它与规则<literal>100</literal>不匹配,因为它是向外而不是向内的。它通过了规则<literal>101</literal>,因为这是第一个数据包,它还没有被发送到动态状态表。数据包最终与规则<literal>125</literal>匹配,因为它是在允许的端口上出站的,并且具有来自内部<acronym>LAN</acronym>的源<acronym>IP</acronym>地址。匹配此规则时,将执行两个操作。首先,<literal>keep-state</literal>操作向动态状态表添加一个条目,然后执行指定的操作<literal>skipto rule 1000</literal>。接下来,包经过<acronym>NAT</acronym>并发送到 Internet。此数据包将被发送到目标 web 服务器,在那里生成并发送响应数据包。这个新包进入规则集的顶部。它匹配规则<literal>100</literal>,并将其目标<acronym>IP</acronym>地址映射回原始内部地址。然后由检查状态规则处理,在表中被发现为现有会话,并被释放到<acronym>LAN</acronym>。
On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the <acronym>LAN</acronym>. The packet generated as a response is recognized by the <literal>check-state</literal> rule as belonging to an existing session. It is then sent to rule <literal>1000</literal> to undergo <acronym>NAT</acronym> before being released to the outbound interface. 在入站端,规则集必须拒绝错误数据包,并且仅允许已授权的服务通过。与入站规则匹配的数据包将发布到动态状态表,数据包被释放到<acronym>LAN</acronym>。作为响应生成的数据包被<literal>check-state</literal>规则识别为属于现有会话。然后,它发送到规则<literal>1000</literal>以进行<acronym>NAT</acronym>,然后再释放到出站接口。

Loading…

With in-kernel <acronym>NAT</acronym> it is necessary to disable TCP segmentation offloading (<acronym>TSO</acronym>) due to the architecture of <citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>, a library implemented as a kernel module to provide the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. <acronym>TSO</acronym> can be disabled on a per network interface basis using <citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> or on a system wide basis using <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. To disable <acronym>TSO</acronym> system wide, the following must be set it <filename>/etc/sysctl.conf</filename>:
当规则集包含有状态规则时,<acronym>NAT</acronym>规则的定位至关重要,并且使用<literal>skipto</literal>操作。<literal>skipto</literal>操作需要一个规则编号,以便它知道要跳转到哪个规则。此外,由于<citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>的体系结构,作为用于<application>IPFW</application>的 in-kernel <acronym>NAT</acronym>工具的内核模块实现的库,有必要禁用 TCP 分段卸载,(<acronym>TSO</acronym>)。通过使用<citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>为某个网口禁用 TSO 或使用<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>。在系统范围内,可以基于每个网络接口 为系统内的所有网卡禁用 <acronym>TSO</acronym>。要在系统范围禁用<acronym>TSO</acronym>,必须在<filename>/etc/sysctl.conf</filename>中设置以下内容:
a month ago
Browse all component changes

Things to check

XML markup

XML tags in translation do not match source

Reset

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment

(itstool) path: sect2/para

Source string location
book.translate.xml:59990
String age
7 months ago
Source string age
7 months ago
Translation file
books/zh_CN/handbook.po, string 9850