From owner-freebsd-questions@FreeBSD.ORG Wed Oct 18 14:54:43 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5D4D16A407 for ; Wed, 18 Oct 2006 14:54:43 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4A7A43D45 for ; Wed, 18 Oct 2006 14:54:42 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so167821uge for ; Wed, 18 Oct 2006 07:54:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CiG0D6yFGcv5RKIxHCxeapoorudpL3BNV/zTCWDNoptvNMwvsi+8DQR/Ic3NYT4+vG7dpgwRs/dSAtXSNorngiRIwSvd9E50Uk19K8VPG+tyFucMMJqyfxPZT1ifk5Y3yy7Zohw9z4bdBWvOnklACJV/IkZCuyQEJj/qBpKzbQ8= Received: by 10.66.252.4 with SMTP id z4mr4060223ugh; Wed, 18 Oct 2006 07:54:41 -0700 (PDT) Received: by 10.66.233.7 with HTTP; Wed, 18 Oct 2006 07:54:41 -0700 (PDT) Message-ID: Date: Wed, 18 Oct 2006 17:54:41 +0300 From: "Ivan Levchenko" To: "Nathan Vidican" In-Reply-To: <20061018140538.M24325@envieweb.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061018140538.M24325@envieweb.net> Cc: questions@freebsd.org Subject: Re: selective NAT/gateway X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 14:54:43 -0000 I did the exact same thing using pf on freebsd: I added all the allowed ip addresses to a table then in the nat rule: nat on $ext_if from to any -> $ext_if (you can put the last $ext_if in parentheses if you use dchp for your external address) On 10/18/06, Nathan Vidican wrote: > Got a bit of an interesting question, wondering how others out there might > have dealt with this: > > we have a single machine acting as router/firewall/nat gateway via DSL. It > routes a small (/29) subnet of static IP's to our servers, and routes > between internal (non-public) subnets. Internet traffic is then routed via > NAT translation over the PPPoE link. We then use a proxy server to cache > most of our web traffic. Works well, and has been for several years now but, > we need to be able to deny traffic through the NAT gateway based on IP > addresses or ranges. Given the following example: > > > Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE -> > 192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1 > (each of these private subnets is a physically different network, connected > via an independant ethernet interface - multiport intel 'fxp' cards) > > > Internal machines -> 192.168.0.100 - 192.168.0.200 > Select Internal machines -> 192.168.0.10 - 192.168.0.50 > > Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway > (enabling internet access via NAT), but deny machines in the 192.168.0.100 - > 192.168.0.200 range from using NAT - yet still allow them to use 'regular' > routes, (given the example below, want to allow 192.168.0.X to connect > to/from 192.168.3.X for instance). > > So the long-question shortened, is how do I deny NAT traffic for specific IP > addresses, without blocking those addresses from routing through 'normal' > routes to other subnets. Essentially, I need an IPFW rule to block traffic > from 192.168.0.X through via NAT, or don't I ? > > Any ideas/comments/suggestions greatly appreciated, (note the above is an > example, not actual addresses). > > > -- > Nathan Vidican > nathan@vidican.com > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- Best Regards, Ivan Levchenko levchenko.i@gmail.com