From owner-freebsd-net@FreeBSD.ORG Fri Jun 12 02:49:14 2015 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADB12C85 for ; Fri, 12 Jun 2015 02:49:14 +0000 (UTC) (envelope-from johnjen@reynoldsnet.org) Received: from fed1rmfepo203.cox.net (fed1rmfepo203.cox.net [68.230.241.148]) by mx1.freebsd.org (Postfix) with ESMTP id 887871D7F for ; Fri, 12 Jun 2015 02:49:14 +0000 (UTC) (envelope-from johnjen@reynoldsnet.org) Received: from fed1rmimpo305 ([68.230.241.173]) by fed1rmfepo203.cox.net (InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP id <20150612024907.NWHE11247.fed1rmfepo203.cox.net@fed1rmimpo305> for ; Thu, 11 Jun 2015 22:49:07 -0400 Received: from ip70-176-23-2.ph.ph.cox.net ([70.176.23.2]) by fed1rmimpo305 with cox id fEp61q00z02iXum01Ep6qM; Thu, 11 Jun 2015 22:49:07 -0400 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020201.557A48A3.002B,ss=1,re=0.000,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=2.0 cv=f9qW8pOM c=1 sm=1 a=HP9fQ7nnypBwy8j/o7h0OA==:17 a=IRX8Ue4JTZcA:10 a=05pWP5ZVAAAA:8 a=XAFQembCKUMA:10 a=0oQO5syo36WfVM3oBgUA:9 a=wPNLvfGTeEIA:10 a=uVuP_BGVSbsB0OCOctkA:9 a=_W_S_7VecoQA:10 a=-GfI8uYdf6DjkxlU:21 a=HP9fQ7nnypBwy8j/o7h0OA==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; none Received: from whale.home-net (whale.home-net [192.168.1.2]) by ip70-176-23-2.ph.ph.cox.net (8.14.7/8.14.7) with ESMTP id t5C2n5Hq013853 for ; Thu, 11 Jun 2015 19:49:06 -0700 (MST) (envelope-from johnjen@reynoldsnet.org) Message-ID: <557A48A2.4090805@reynoldsnet.org> Date: Thu, 11 Jun 2015 19:49:06 -0700 From: John Reynolds User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: question on NAT + IPFW Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 02:49:14 -0000 Hello all, I've read in sections 30.4.4 and 30.4.3 of the handbook about using IPFW and I've got some clarification questions. 1) When you're using any sort of firewall rules outside the open/client/simple/closed, etc. pre-canned types in rc.firewall, but instead using rules from a file, the way I read the handbook, you MUST use specific "nat" rules (divert natd) in your ipfw file along with setting "natd_enable" to YES. Correct? 2) In the example found in 30.4.4 where it is using "stateful" rules, it made specific mention that the "nat" stuff needed to be placed after the rules to allow traffic in on the trusted interface but before the "check-state" rule. Given that, if I wanted to completely block off one of my local addresses would I also do it *before* the "divert natd" rule? I have a situation where I need to just simply "block all traffic" from some teenagers' mobile devices after a certain period of the day (don't ask .... teenagers......). So, would that rule look like this: $cmd 005 allow all from any to any via xl0 # exclude LAN traffic $cmd 010 allow all from any to any via lo0 # exclude loopback traffic $cmd 020 deny log all from 192.168.1.20 to any via xl0 # new rule $cmd 100 divert natd ip from any to any in via $pif # NAT any inbound packets $cmd 101 check-state (assuming 192.168.1.20 was the internal IP address for the mobile device I want to thwart) Would this accomplish what I'm hoping for? I currently don't have any real FW to speak of--ipfw is there but the type is "open," so I'm trying to learn as I go along in order to setup an actual firewall for this box @ the same time. Thanks in advance, -Jr