From owner-freebsd-questions@FreeBSD.ORG Fri Aug 22 12:13:51 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E568316A4BF for ; Fri, 22 Aug 2003 12:13:51 -0700 (PDT) Received: from lakemtao01.cox.net (lakemtao01.cox.net [68.1.17.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 031B843FDF for ; Fri, 22 Aug 2003 12:13:51 -0700 (PDT) (envelope-from rjhjr@cox.net) Received: from kongemord.krig.net ([68.100.111.121]) by lakemtao01.cox.net (InterMail vM.5.01.06.04 201-253-122-130-104-20030726) with SMTP id <20030822191350.CHSP5378.lakemtao01.cox.net@kongemord.krig.net> for ; Fri, 22 Aug 2003 15:13:50 -0400 Received: by kongemord.krig.net (sSMTP sendmail emulation); Fri, 22 Aug 2003 15:13:50 -0400 From: "Bob Hall" Date: Fri, 22 Aug 2003 15:13:50 -0400 To: freebsd-questions@freebsd.org Message-ID: <20030822191349.GC8719@kongemord.krig.net> Mail-Followup-To: freebsd-questions@freebsd.org References: <3F4663B2.1030004@openadventures.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F4663B2.1030004@openadventures.org> User-Agent: Mutt/1.4.1i Subject: Re: NATD Firewall Rules Setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 19:13:52 -0000 On Fri, Aug 22, 2003 at 11:40:50AM -0700, Thomas Smith wrote: > I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall > locked down as I need it to be but am having issues getting NAT working. > The firewall config file is included below. > > Note that if I add the "allow all" rule to the end of the file NAT works > fine. I'm certain its an IPFW issue but haven't been able to figure it > out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation > (preferably with examples of usage) would be very helpful. I haven't > been able to find a lot of info outside of the Handbook and what I do > find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow > all traffic. All NAT does is translate your IP addresses. If it works with the "allow all" rule, then it works. It's the firewall, not NAT, that you need to adjust. When I set up my current firewall, I ran tcpdump for about a week, saving the output to a (huge) file. Then I analyzed it with nstreams to get an idea of what the traffic was like and what rules were needed. I still needed to do some tweaking; e.g. Windows vs. FBSD traceroute, but nstreams got me 90% of the way there. Bob Hall