Date: Fri, 2 Apr 2021 20:17:58 +0100 From: Frank Leonhardt <freebsd-doc@fjl.co.uk> To: freebsd-questions@freebsd.org Subject: pf or ipfw for NAT Message-ID: <50dcf18d-f9c3-71c2-abb0-eed8f1b5e192@fjl.co.uk>
next in thread | raw e-mail | index | archive | help
For longer than I care to remember (FreeBSD 2) I've implemented a physical asymmetric nat gateway using natd and ipfw. I just do what the user guide says and it works. For everything else I tend to use pf because I understand it better than ipfw. And I use pf and nat the virtual network between jails. When I say I understand pf better, that's better than ipfw - it doesn't mean I understand it well! Am I using ipfw/natd for historical reasons? Can I do the same with pf? I'm not entirely sure, but I assume natd is a counterpart to ipfw whereas pf does packet filtering and nat and is a replacement for both. The FreeBSD documentation favours ipfw. I'd really appreciate it if someone could tell me what I need to put in rc.conf and pf.conf to get this working. For example, do I need to enable the gateway in rc.conf if not using ipfw? I'm guessing not, but I'm only guessing. I've seem some complex examples. I'm thinking of going with something like this. I'm ASSUMING any incoming connections (e.g. ssh) would still end up on the host running PF, except port 80. If anyone could sanity check this I'd be very grateful. ---------------------------------------- rc.conf: defaultrouter="1.2.3.1" ifconfig_bge0="inet 1.2.3.4 netmask 255.255.255.192" ifconfig_bge1="inet 192.168.1.1 netmask 255.255.255.0" pf_enable="yes" ---------------------------------------- pf.conf: scrub in all nat pass on bge0 from 192.168.1.0/24 to any -> 1.2.3.4 # Never quite sure with pf - the following may be better # nat on bge0 from bge1:network to any -> bge0 # Redirect port 80 to internal web server rdr pass on bge0 proto tcp from any to 1.2.3.4 -> port 80 - 192.168.1.3 ---------------------------------------- Thanks, Frank.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50dcf18d-f9c3-71c2-abb0-eed8f1b5e192>