From owner-freebsd-questions@FreeBSD.ORG Sun Feb 1 08:14:45 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AC4D16A4CE for ; Sun, 1 Feb 2004 08:14:45 -0800 (PST) Received: from mx1.intranet.ru (web.ngs.ru [212.164.71.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06C2B43D39 for ; Sun, 1 Feb 2004 08:14:42 -0800 (PST) (envelope-from replicator@ngs.ru) Received: from [212.164.71.24] (HELO intranet.ru) by mx1.intranet.ru (CommuniGate Pro SMTP 4.1.8) with ESMTP id 44284701 for questions@freebsd.org; Sun, 01 Feb 2004 22:14:38 +0600 Received: from [212.192.164.6] (account ) by intranet.ru (CommuniGate Pro WebUser 3.4.8) with HTTP id 102568413 for ; Sun, 01 Feb 2004 22:14:36 +0600 From: Eugene Panchenko To: questions@freebsd.org X-Mailer: CommuniGate Pro Web Mailer v.3.4.8 Date: Sun, 01 Feb 2004 22:14:36 +0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 02 Feb 2004 05:48:37 -0800 Subject: NAT and IPFW rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Feb 2004 16:14:45 -0000 Hallo! Out from reading the manpage for natd, I have a question about how to restrict IPFW access for NAT for the case when I have one computer connected directly to another one (having two NICs installed into it)? That means that I don't have to care about big private network, but rather want to narrow down the access to single private IP address. For NAT to work, two rules need to be added: ipfw add divert natd all from any to any via xl0 Can this rule be restricted (is it possible to divert not every packets)? Right now, every packet that enters/leaves the system is diverted, sometimes natd process eats quite a lot of processor resources. Can this be avoided? How? ipfw add pass all from any to any How can this be restricted? I basically need only outgoing stuff working, that's all, and silently passing any packets from whatever location to any destination is insecure to me. Can someone post a live examples of such setup? Waiting to hear from some gurus ;) -- Eugene --------------------------------------------------------- Размер почтовых ящиков увеличен до 25 мегабайт! ПОЧТА НГС - http://ngs.ru/