Date: Wed, 18 Oct 2006 17:54:41 +0300 From: "Ivan Levchenko" <levchenko.i@gmail.com> To: "Nathan Vidican" <nathan@envieweb.net> Cc: questions@freebsd.org Subject: Re: selective NAT/gateway Message-ID: <e39dd5bb0610180754m44d06fddu54c8312b160ec86b@mail.gmail.com> In-Reply-To: <20061018140538.M24325@envieweb.net> References: <20061018140538.M24325@envieweb.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I did the exact same thing using pf on freebsd: I added all the allowed ip addresses to a table <allowed> then in the nat rule: nat on $ext_if from <allowed> to any -> $ext_if (you can put the last $ext_if in parentheses if you use dchp for your external address) On 10/18/06, Nathan Vidican <nathan@envieweb.net> wrote: > Got a bit of an interesting question, wondering how others out there might > have dealt with this: > > we have a single machine acting as router/firewall/nat gateway via DSL. It > routes a small (/29) subnet of static IP's to our servers, and routes > between internal (non-public) subnets. Internet traffic is then routed via > NAT translation over the PPPoE link. We then use a proxy server to cache > most of our web traffic. Works well, and has been for several years now but, > we need to be able to deny traffic through the NAT gateway based on IP > addresses or ranges. Given the following example: > > > Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE -> > 192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1 > (each of these private subnets is a physically different network, connected > via an independant ethernet interface - multiport intel 'fxp' cards) > > > Internal machines -> 192.168.0.100 - 192.168.0.200 > Select Internal machines -> 192.168.0.10 - 192.168.0.50 > > Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway > (enabling internet access via NAT), but deny machines in the 192.168.0.100 - > 192.168.0.200 range from using NAT - yet still allow them to use 'regular' > routes, (given the example below, want to allow 192.168.0.X to connect > to/from 192.168.3.X for instance). > > So the long-question shortened, is how do I deny NAT traffic for specific IP > addresses, without blocking those addresses from routing through 'normal' > routes to other subnets. Essentially, I need an IPFW rule to block traffic > from 192.168.0.X through via NAT, or don't I ? > > Any ideas/comments/suggestions greatly appreciated, (note the above is an > example, not actual addresses). > > > -- > Nathan Vidican > nathan@vidican.com > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e39dd5bb0610180754m44d06fddu54c8312b160ec86b>