From owner-freebsd-questions  Tue Dec  8 03:01:17 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA12004
          for freebsd-questions-outgoing; Tue, 8 Dec 1998 03:01:17 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA11999
          for <questions@freebsd.org>; Tue, 8 Dec 1998 03:01:13 -0800 (PST)
          (envelope-from wjv@cityip.co.za)
Received: from wjv by ns.cityip.co.za with local (Exim 2.05 #1)
	id 0znKsV-0000r1-00; Tue, 8 Dec 1998 13:00:27 +0200
Message-ID: <19981208130026.A3262@cityip.co.za>
Date: Tue, 8 Dec 1998 13:00:26 +0200
From: Johann Visagie <wjv@cityip.co.za>
To: Mark Mayo <mark@vmunix.com>, questions@FreeBSD.ORG
Subject: Re: NATD + firewall - I'm stumped..
References: <19981208030926.A25214@vmunix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <19981208030926.A25214@vmunix.com>; from Mark Mayo on Tue, Dec 08, 1998 at 03:09:26AM -0500
X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 08 Dec 1998 at 03:09 SAST, Mark Mayo wrote:
> 
> Naturally, I'd like to give
> a little more protection to the "router" box, but as soon as I try
> to do anything without the "add 65000 pass all from any to any" rule
> NAT just doesn't seem to want to go.

That sounds familiar.  :-)

> Obviously, I'm doing something wrong
> and missing some key fundamental here, but no matter how many ways I
> play with the rules it beats me everytime.

I don't think you're missing anything.  Selectively protecting your gateway
box whilst allowing full access (via NAT) to machines shielded behind it does
not seem to come naturally to FreeBSD's natd/ipfw.  I've had to do this once
or twice, though, and I knocked up a preliminary doc of my workaround (mostly
for my own future edification), which is available here:

  http://www.cityip.co.za/~wjv/vdocs/natd.html

If there's a better or more efficient way of doing it, I'd like to know...

-- V

Johann Visagie | wjv@CityIP.co.za | Tel: +27 21 419-7878 | ICQ: 20645559

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message