From owner-freebsd-questions@FreeBSD.ORG Sun Dec 7 09:19:51 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D660C69 for ; Sun, 7 Dec 2014 09:19:51 +0000 (UTC) Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A02188CC for ; Sun, 7 Dec 2014 09:19:50 +0000 (UTC) Received: by mail-wi0-f174.google.com with SMTP id h11so2229052wiw.13 for ; Sun, 07 Dec 2014 01:19:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nileshgr.com; s=google; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=Y9xf7gEtRJjfS/Dfh8aYo2xwCoGccgbRr0lDDyYraNQ=; b=erV7XjZtKaR620tQiN49EOuUcZwqpfCgm1MC5kF3qg4NUirmbH5kl540vVLGW3h0oB UW8ezz4mDFK9Ngltovi75w2lTkJXleB3ySGoyEOFxqnVEqMsFrCb5Is4S6J7aBkNZ+U+ xa51urRM9A7i2/Jjp/zI948p1u+XHs8uX+DyQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=Y9xf7gEtRJjfS/Dfh8aYo2xwCoGccgbRr0lDDyYraNQ=; b=eWuzKJ3q12N7GDtv0pD/uAnmDuLki0jigHI86Sht3UfLjpOSy+kzkwMBnVKL1jciBr UZWzVQPaI0P75ZwZDyTwCjbqxgcoEbuoqvm9TPHTGZxFgm6hO6SXJ/xGXSajkQWrX9p1 CrpQPhVaVKfgN5gfAPtXAwrkiCYtHHx7lr4DRGG3YuJxOTMCINa70I+PNecFHybCNtls h5ACUSL/rT1QFE8go4xmAjhRFlbfzILgM1zQo3EDksoVHUssF7IVjV/gSvn0oCsXQMi2 dCM9UkEt6nayUwmxtBfCjkmIdYkH/syLosJnu1X8hrjAcza9gFPRIE6BNqj59JGfhcTx sk/w== X-Gm-Message-State: ALoCoQkaVy5eS72dV41G2F8nP/SQD9PY1JTVIbiWi6W3ehcB90S+MMwKQwXkP3mHzJFtFuxCUWxd X-Received: by 10.180.90.16 with SMTP id bs16mr8309576wib.4.1417943989078; Sun, 07 Dec 2014 01:19:49 -0800 (PST) Received: from ?IPv6:2001:470:1f13:d18::11? (i5.d.nileshgr.com. [2001:470:1f13:d18::11]) by mx.google.com with ESMTPSA id cz3sm51829314wjb.23.2014.12.07.01.19.47 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Dec 2014 01:19:48 -0800 (PST) Message-ID: <54841B6D.7030901@nileshgr.com> Date: Sun, 07 Dec 2014 14:48:37 +0530 From: Nilesh Govindrajan User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: IPFW NAT with filtering Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 09:19:51 -0000 Hi, I'm trying to implement NAT using IPFW for jails. Each jail has an ip in 10.0.0.0/8 subnet, I want to NAT from that private range. The server has multiple public IPs and some jails may have direct assignment of public ip. I'm using workstation in firewall_type and I tried this: ipfw add 49 nat 123 from any to in ipfw add 50 nat 123 from 10.0.0.0/8 to any out via ipfw nat 123 config ip Then there are rules inserted by rc.firewall This doesn't work and I'm a bit clueless as to why it doesn't. I should be able to restrict the outgoing traffic (i.e., limit the outgoing ports to 22,80,443,etc -- preventing torrents / etc). Where am I going wrong?