From owner-freebsd-questions@freebsd.org Fri Apr 2 19:18:02 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DBCB557F625 for ; Fri, 2 Apr 2021 19:18:02 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4FBqZf19vvz3n92 for ; Fri, 2 Apr 2021 19:18:01 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from [192.168.1.181] (host86-173-112-21.range86-173.btcentralplus.com [86.173.112.21]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 132JI0kX005239 for ; Fri, 2 Apr 2021 20:18:00 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) To: freebsd-questions@freebsd.org From: Frank Leonhardt Subject: pf or ipfw for NAT Message-ID: <50dcf18d-f9c3-71c2-abb0-eed8f1b5e192@fjl.co.uk> Date: Fri, 2 Apr 2021 20:17:58 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB X-Rspamd-Queue-Id: 4FBqZf19vvz3n92 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk X-Spamd-Result: default: False [-3.40 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[fjl.co.uk]; RCVD_IN_DNSWL_MED(-0.20)[84.45.41.196:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; RECEIVED_SPAMHAUS_PBL(0.00)[86.173.112.21:received] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2021 19:18:02 -0000 For longer than I care to remember (FreeBSD 2)  I've implemented a physical asymmetric nat gateway using natd and ipfw. I just do what the user guide says and it works. For everything else I tend to use pf because I understand it better than ipfw. And I use pf and nat the virtual network between jails. When I say I understand pf better, that's better than ipfw - it doesn't mean I understand it well! Am I using ipfw/natd for historical reasons? Can I do the same with pf? I'm not entirely sure, but I assume natd is a counterpart to ipfw whereas pf does packet filtering and nat and is a replacement for both. The FreeBSD documentation favours ipfw. I'd really appreciate it if someone could tell me what I need to put in rc.conf and pf.conf to get this working. For example, do I need to enable the gateway in rc.conf if not using ipfw? I'm guessing not, but I'm only guessing. I've seem some complex examples. I'm thinking of going with something like this. I'm ASSUMING any incoming connections (e.g. ssh) would still end up on the host running PF, except port 80. If anyone could sanity check this I'd be very grateful. ---------------------------------------- rc.conf: defaultrouter="1.2.3.1" ifconfig_bge0="inet 1.2.3.4 netmask 255.255.255.192" ifconfig_bge1="inet 192.168.1.1 netmask 255.255.255.0" pf_enable="yes" ---------------------------------------- pf.conf: scrub in all nat pass on bge0 from 192.168.1.0/24  to any -> 1.2.3.4 # Never quite sure with pf - the following may be better # nat on bge0 from bge1:network to any -> bge0 # Redirect port 80 to internal web server rdr pass on bge0 proto tcp from any to 1.2.3.4  -> port 80 - 192.168.1.3 ---------------------------------------- Thanks, Frank.