From owner-freebsd-questions@FreeBSD.ORG Wed Sep 3 18:18:52 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6D921065CCA for ; Wed, 3 Sep 2008 18:18:52 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id AA7858FC1F for ; Wed, 3 Sep 2008 18:18:52 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 4F4A33C04FD; Wed, 3 Sep 2008 11:18:52 -0700 (PDT) Date: Wed, 3 Sep 2008 11:18:52 -0700 From: Christopher Cowart To: Marcel Grandemange Message-ID: <20080903181852.GK25990@hal.rescomp.berkeley.edu> Mail-Followup-To: Marcel Grandemange , freebsd-questions@freebsd.org References: <02be01c90da0$e03555d0$a0a00170$@za.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="f54savKjS/tSNRaU" Content-Disposition: inline In-Reply-To: <02be01c90da0$e03555d0$a0a00170$@za.net> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: IPFW In FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 18:18:52 -0000 --f54savKjS/tSNRaU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Marcel Grandemange wrote: > Ok so I know this is a newbie question.. >=20 > But ive for years now wanted to know how to only nat certain traffic or m= aby > only across a certain ip. >=20 > Ive tried many examples all not working.. Maby im just doing something > stupid.. >=20 > But, below is a example of a machine that is natting everything on em0. >=20 > Id like to know how to change that to everything on say 196.212.65.186 > instead of entire interface. >=20 > Or better yet.. >=20 > Stop natting everything and say only nat web traffic. >=20 > Im having issues where certain traffic is being nated that MUSTN be! If you're running 7.0, you can ditch divert and use the built-in NAT functionality (you can probably replace the nat rules for divert rules). You can use source and destination ports and addresses when deciding what to have ipfw divert/nat. They're rules just like any others.=20 Here's what I do: /etc/ipfw.rules: | CMD=3D"/sbin/ipfw -q add" |=20 | # Configure NAT | /sbin/ipfw -q nat 1 config if inet log reset unreg_only same_ports \ | redirect_port tcp 10.1.10.20:80 80 \ | redirect_port tcp 10.1.10.20:443 443 |=20 | # loopback | $CMD allow all from any to any via lo0 | $CMD deny log all from 127.0.0.0/8 to any |=20 | # Anti-spoof | $CMD deny log all from any to any not verrevpath in |=20 | # Catch proto 41 without NATing | $CMD allow ipv6 from any to me |=20 | # Allow this box to initiate unNATed outbound connections | $CMD allow ip from me to any keep-state |=20 | # NAT | $CMD nat 1 ip4 from any to me in via inet | $CMD nat 1 ip4 from 10.1.10.0/24 to not me out via inet |=20 | # ICMP | $CMD allow icmp from any to any |=20 | # SSH From local nets | $CMD allow tcp from 10.1.10.0/24 to me ssh |=20 | # DNS from local nets | $CMD allow udp from 10.1.10.0/24 to me domain |=20 | # DHCP from local nets | $CMD allow udp from any to me bootps in via bridge0 | $CMD allow udp from 0.0.0.0 to 255.255.255.255 bootps in via bridge0 |=20 | # Deny anything else destined to me | $CMD deny log ip from any to me |=20 | # But forward any other traffic | $CMD allow ip4 from any to any --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --f54savKjS/tSNRaU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJIvtUMAAoJEIGh6j3cHUNPsCcP/A++YsDSlALhs9df6+5zPGnA ps4gXX4iJtZA8g7+DgBhP+xWJ+1KvRiHeqeWFr2V6B6eEDp8aOIJPAaZYqr0ik/5 MsnzdLSVB9/9ElUJ07i9nlRXhfNEg8eomenHIL29ogiGQXghsrL4rL0V9TvES9K/ WPC7PLyaYjSOw3GRFXYh2t+VhWtAYNQk3sG9FSJ1lbsdeS1gpW6sHAtaSBC3qXW2 wVoX3QvKzSPAux7gUYRg385l0B/AtnAVBaYsVzeLvLib296j+4QXfPyY/M2aI6+a APyiDA48gcsHzaIqRpUFRTLXRc3TneQ+MICOJHw2LWjhH4C2h4APB8djoVJMjvXw +1z1Gg6scjUFCRWWtovXZ9WjMVRLyt2CrzY3D8FlNYnONIOZXlfgHEMg1eIwKpD+ AaoMyNz67UvwfkvgFcKKbfdEj2OXG8sCeneCESRdPu/P0wQ+dYaTCSg4OHs7pmWE MYfNZ1uQsCaCKxrGa6vrLYZ9IVx1WI21LXAi8VHVi/ShjA4jfCMkaGbRH6ShfCu0 /RPQJ+M3zgiVzxndXr3SNlG05Hi7vLfmNwyQu0+u+m+oMqAWl3Kjrf372tKTCqPV NFIDg4zGPYkTx2di6jfGynTFME/28x9EgQwCV3iDBH+lm25e3biXx6jwnlkyiYDV oQ9rlaLqvdTCjpyNp2PY =p/dN -----END PGP SIGNATURE----- --f54savKjS/tSNRaU--