From owner-freebsd-questions@FreeBSD.ORG Wed Oct 18 14:24:47 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36A4116A407 for ; Wed, 18 Oct 2006 14:24:47 +0000 (UTC) (envelope-from nathan@envieweb.net) Received: from envieweb.net (d221-69-17.commercial.cgocable.net [216.221.69.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABEFD43D53 for ; Wed, 18 Oct 2006 14:24:46 +0000 (GMT) (envelope-from nathan@envieweb.net) Received: from mail.envieweb.net (localhost [127.0.0.1]) by envieweb.net (8.13.6/8.13.6) with ESMTP id k9IEMgXl000942 for ; Wed, 18 Oct 2006 10:22:43 -0400 (EDT) (envelope-from nathan@envieweb.net) From: "Nathan Vidican" To: questions@freebsd.org Date: Wed, 18 Oct 2006 10:22:42 -0400 Message-Id: <20061018140538.M24325@envieweb.net> X-Mailer: Open WebMail 2.20ip1 20031103 X-OriginatingIP: 216.8.159.129 (ips/nvidican) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Spam-Score: -1.36 () ALL_TRUSTED MSG NOT MARKED AS SPAM X-Scanned-By: MIMEDefang 2.56 on 216.221.69.17 Cc: Subject: selective NAT/gateway X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 14:24:47 -0000 Got a bit of an interesting question, wondering how others out there might have dealt with this: we have a single machine acting as router/firewall/nat gateway via DSL. It routes a small (/29) subnet of static IP's to our servers, and routes between internal (non-public) subnets. Internet traffic is then routed via NAT translation over the PPPoE link. We then use a proxy server to cache most of our web traffic. Works well, and has been for several years now but, we need to be able to deny traffic through the NAT gateway based on IP addresses or ranges. Given the following example: Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE -> 192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1 (each of these private subnets is a physically different network, connected via an independant ethernet interface - multiport intel 'fxp' cards) Internal machines -> 192.168.0.100 - 192.168.0.200 Select Internal machines -> 192.168.0.10 - 192.168.0.50 Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway (enabling internet access via NAT), but deny machines in the 192.168.0.100 - 192.168.0.200 range from using NAT - yet still allow them to use 'regular' routes, (given the example below, want to allow 192.168.0.X to connect to/from 192.168.3.X for instance). So the long-question shortened, is how do I deny NAT traffic for specific IP addresses, without blocking those addresses from routing through 'normal' routes to other subnets. Essentially, I need an IPFW rule to block traffic from 192.168.0.X through via NAT, or don't I ? Any ideas/comments/suggestions greatly appreciated, (note the above is an example, not actual addresses). -- Nathan Vidican nathan@vidican.com