From owner-freebsd-questions@FreeBSD.ORG  Sun Feb  1 08:14:45 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1AC4D16A4CE
	for <questions@freebsd.org>; Sun,  1 Feb 2004 08:14:45 -0800 (PST)
Received: from mx1.intranet.ru (web.ngs.ru [212.164.71.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 06C2B43D39
	for <questions@freebsd.org>; Sun,  1 Feb 2004 08:14:42 -0800 (PST)
	(envelope-from replicator@ngs.ru)
Received: from [212.164.71.24] (HELO intranet.ru)
	by mx1.intranet.ru (CommuniGate Pro SMTP 4.1.8)
	with ESMTP id 44284701 for questions@freebsd.org;
	Sun, 01 Feb 2004 22:14:38 +0600
Received: from [212.192.164.6] (account <replicator@ngs.ru>)
	by intranet.ru (CommuniGate Pro WebUser 3.4.8)
	with HTTP id 102568413 for <questions@freebsd.org>;
	Sun, 01 Feb 2004 22:14:36 +0600
From: Eugene Panchenko <replicator@ngs.ru>
To: questions@freebsd.org
X-Mailer: CommuniGate Pro Web Mailer v.3.4.8
Date: Sun, 01 Feb 2004 22:14:36 +0600
Message-ID: <web-102568413@intranet.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="KOI8-R"
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Mon, 02 Feb 2004 05:48:37 -0800
Subject: NAT and IPFW rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2004 16:14:45 -0000

Hallo!

Out from reading the manpage for natd, I have a question about how to restrict IPFW access for NAT for the case when I have one computer connected directly to another one (having two NICs installed into it)? That means that I don't have to care about big private network, but rather want to narrow down the access to single private IP address.

For NAT to work, two rules need to be added:

    ipfw add divert natd all from any to any via xl0

Can this rule be restricted (is it possible to divert not every packets)? Right now, every packet that enters/leaves the system is diverted, sometimes natd process eats quite a lot of processor resources. Can this be avoided? How?

    ipfw add pass all from any to any

How can this be restricted? I basically need only outgoing stuff working, that's all, and silently passing any packets from whatever location to any destination is insecure to me. Can someone post a live examples of such setup?

Waiting to hear from some gurus ;)

--
Eugene
---------------------------------------------------------
Размер почтовых ящиков увеличен до 25 мегабайт!
ПОЧТА НГС - http://ngs.ru/