From owner-freebsd-questions Sun Oct 27 19:15: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E39C237B401 for ; Sun, 27 Oct 2002 19:15:01 -0800 (PST) Received: from tmmc.dyndns.org (12-254-249-71.client.attbi.com [12.254.249.71]) by mx1.FreeBSD.org (Postfix) with SMTP id 32DE143E3B for ; Sun, 27 Oct 2002 19:15:00 -0800 (PST) (envelope-from soren@tmmc.dyndns.org) Received: (qmail 62460 invoked by uid 1001); 28 Oct 2002 03:14:57 -0000 Date: Sun, 27 Oct 2002 20:14:57 -0700 From: Soren Harward To: freebsd-questions@freebsd.org Subject: splitting NAT rules with ipfw? Message-ID: <20021028031457.GA62420@tmmc.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-URL: http://tmmc.dyndns.org/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Right now, I have my ipfw rules running every packet through natd very close to the beginning of my firewall rules: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny log logamount 100 ip from INTERNAL to any in recv ed0 00500 deny log logamount 100 ip from EXTERNAL to any in recv xl0 00600 divert 8668 ip from any to any via ed0 (ed0: external interface) (xl0: internal interface) Right now, this sends almost every packet through natd. I'd like to be able to split the natd rules into an "outgoing from the internal network" rule and an "incoming to the internal network" rule so that I have something like the following: ipfw divert natd ip from INTERNAL to any via ed0 [ INCOMING FILTERING RULES on ed0 ] and then have incoming packets that get through the rules be passed to natd so they can be sent to the internal network if necessary. But the only setup I can get working is the one I already have. Anyone have any ideas, or does the "divert natd" have to be just one rule? -- Soren Harward soren@byu.edt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message