From owner-freebsd-ipfw@FreeBSD.ORG  Fri Apr 30 11:31:18 2010
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 421721065670
	for <ipfw@freebsd.org>; Fri, 30 Apr 2010 11:31:18 +0000 (UTC)
	(envelope-from Lee@dilkie.com)
Received: from spock.dilkie.com (spock.dilkie.com [142.46.160.214])
	by mx1.freebsd.org (Postfix) with ESMTP id 8B67B8FC15
	for <ipfw@freebsd.org>; Fri, 30 Apr 2010 11:31:17 +0000 (UTC)
Received: from [IPv6:2001:470:8900::11] ([IPv6:2001:470:8900::11])
	(authenticated bits=0)
	by spock.dilkie.com (8.14.4/8.14.4) with ESMTP id o3UBHTpd088373
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Fri, 30 Apr 2010 07:17:31 -0400 (EDT) (envelope-from Lee@dilkie.com)
X-DKIM: Sendmail DKIM Filter v2.8.3 spock.dilkie.com o3UBHTpd088373
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dilkie.com; s=mail;
	t=1272626252; bh=DOFT98yRPAHEaDswr8AmYtxiERscQ3yILfuOHlzIy/8=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type;
	b=HKLSJqD42t4u/Apr9LlhRRRdOiuwJvKFXpoxsuX5rqCHs0NiYZ64HaxMYxukd705e
	j5Eg/46EY2+zE1P4YtREqJAb9890cJJLZueWJJvz0wAmR29OLg2R+vjzikTz+Vc
Message-ID: <4BDABC49.2040600@dilkie.com>
Date: Fri, 30 Apr 2010 07:17:29 -0400
From: Lee Dilkie <Lee@dilkie.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: Robert Huff <roberthuff@rcn.com>
References: <19418.39843.266203.180601@jerusalem.litteratus.org>
In-Reply-To: <19418.39843.266203.180601@jerusalem.litteratus.org>
X-Enigmail-Version: 1.0.1
X-Scanned-By: MIMEDefang 2.67 on IPv6:2001:470:8900::40
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: ipfw@freebsd.org
Subject: Re: help wanted with NAT under ipfw
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 11:31:18 -0000

On 4/30/2010 4:58 AM, Robert Huff wrote:
> 	I have been trying to get NAT working under ipfw on:
>
> FreeBSD 9.0-CURRENT #0: Fri Apr 23 11:34:17 EDT 2010 amd64 
>
> 	and failing.
> 	The ipfw part works fine.  I'm using:
>
> ipfw_load="YES"
> ipfw_nat_load="YES"	# in-kernel ipfw nat
> libalias_load="YES"	# for in-kernel ipfw nat
>
> 	my ipfw rules are appended.
> 	However, the moment I do this:
>
> ipfw add 5000 nat 15 all from any to any
> ipfw nat 15 config log same_ports if em0
>
> 	the machine is cut off from the outside world.  Removing that
> rule makes things right again.  (Obviously checking whether NAT is
> happening is useless.)
> 	I've read the man page; I've read the Handbook.  Neither are
> helpful.
> 	What am I doing wrong?
>
>   

Not an expert by any means, but I put the config line first and it
matches the same number as the nat rule.

ie.

ipfw nat 5000 config ...
ipfw add nat 5000 ipv4 from any to any via fxp0 (I specify the interface)

not sure if that'll help.

-lee