From owner-freebsd-questions@FreeBSD.ORG Fri Aug 22 11:42:51 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BA5816A4BF for ; Fri, 22 Aug 2003 11:42:51 -0700 (PDT) Received: from uccinc.net (ns1.uccinc.net [216.161.174.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 557D843FA3 for ; Fri, 22 Aug 2003 11:42:50 -0700 (PDT) (envelope-from tom@openadventures.org) Received: from openadventures.org (ns3.uccinet.net [216.161.174.4]) by uccinc.net (8.11.6/linuxconf) with ESMTP id h7MIfKw07218 for ; Fri, 22 Aug 2003 11:41:20 -0700 Message-ID: <3F4663B2.1030004@openadventures.org> Date: Fri, 22 Aug 2003 11:40:50 -0700 From: Thomas Smith User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean Subject: NATD Firewall Rules Setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 18:42:51 -0000 I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall locked down as I need it to be but am having issues getting NAT working. The firewall config file is included below. Note that if I add the "allow all" rule to the end of the file NAT works fine. I'm certain its an IPFW issue but haven't been able to figure it out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation (preferably with examples of usage) would be very helpful. I haven't been able to find a lot of info outside of the Handbook and what I do find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow all traffic. # Internal network variables iif="rl1" inet="192.168.20.0" iip="192.168.20.2" imask="255.255.255.0" # External network variables oif="rl0" onet="216.161.174.0" oip="216.161.174.7" omask="255.255.255.0" # Clear current rules /sbin/ipfw -f flush # Allow TCP in, if setup succeeded /sbin/ipfw add pass tcp from any to any established # Allow all local traffic /sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 # Stop spoofing /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the external interface /sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif} /sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif} /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} # Allow internal network traffic /sbin/ipfw add pass all from ${iip} to any /sbin/ipfw add pass all from ${inet}:${imask} to ${iip} # Allow NAT traffic out. /sbin/ipfw add divert natd all from any to any via ${oif} # Allow setup of SSH connections /sbin/ipfw add pass tcp from any to ${oip} 22 setup