Date: Wed, 3 Sep 2008 11:18:52 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Marcel Grandemange <thavinci@thavinci.za.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW In FreeBSD Message-ID: <20080903181852.GK25990@hal.rescomp.berkeley.edu> In-Reply-To: <02be01c90da0$e03555d0$a0a00170$@za.net> References: <02be01c90da0$e03555d0$a0a00170$@za.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Marcel Grandemange wrote: > Ok so I know this is a newbie question.. > > But ive for years now wanted to know how to only nat certain traffic or maby > only across a certain ip. > > Ive tried many examples all not working.. Maby im just doing something > stupid.. > > But, below is a example of a machine that is natting everything on em0. > > Id like to know how to change that to everything on say 196.212.65.186 > instead of entire interface. > > Or better yet.. > > Stop natting everything and say only nat web traffic. > > Im having issues where certain traffic is being nated that MUSTN be! If you're running 7.0, you can ditch divert and use the built-in NAT functionality (you can probably replace the nat rules for divert rules). You can use source and destination ports and addresses when deciding what to have ipfw divert/nat. They're rules just like any others. Here's what I do: /etc/ipfw.rules: | CMD="/sbin/ipfw -q add" | | # Configure NAT | /sbin/ipfw -q nat 1 config if inet log reset unreg_only same_ports \ | redirect_port tcp 10.1.10.20:80 80 \ | redirect_port tcp 10.1.10.20:443 443 | | # loopback | $CMD allow all from any to any via lo0 | $CMD deny log all from 127.0.0.0/8 to any | | # Anti-spoof | $CMD deny log all from any to any not verrevpath in | | # Catch proto 41 without NATing | $CMD allow ipv6 from any to me | | # Allow this box to initiate unNATed outbound connections | $CMD allow ip from me to any keep-state | | # NAT | $CMD nat 1 ip4 from any to me in via inet | $CMD nat 1 ip4 from 10.1.10.0/24 to not me out via inet | | # ICMP | $CMD allow icmp from any to any | | # SSH From local nets | $CMD allow tcp from 10.1.10.0/24 to me ssh | | # DNS from local nets | $CMD allow udp from 10.1.10.0/24 to me domain | | # DHCP from local nets | $CMD allow udp from any to me bootps in via bridge0 | $CMD allow udp from 0.0.0.0 to 255.255.255.255 bootps in via bridge0 | | # Deny anything else destined to me | $CMD deny log ip from any to me | | # But forward any other traffic | $CMD allow ip4 from any to any -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJIvtUMAAoJEIGh6j3cHUNPsCcP/A++YsDSlALhs9df6+5zPGnA ps4gXX4iJtZA8g7+DgBhP+xWJ+1KvRiHeqeWFr2V6B6eEDp8aOIJPAaZYqr0ik/5 MsnzdLSVB9/9ElUJ07i9nlRXhfNEg8eomenHIL29ogiGQXghsrL4rL0V9TvES9K/ WPC7PLyaYjSOw3GRFXYh2t+VhWtAYNQk3sG9FSJ1lbsdeS1gpW6sHAtaSBC3qXW2 wVoX3QvKzSPAux7gUYRg385l0B/AtnAVBaYsVzeLvLib296j+4QXfPyY/M2aI6+a APyiDA48gcsHzaIqRpUFRTLXRc3TneQ+MICOJHw2LWjhH4C2h4APB8djoVJMjvXw +1z1Gg6scjUFCRWWtovXZ9WjMVRLyt2CrzY3D8FlNYnONIOZXlfgHEMg1eIwKpD+ AaoMyNz67UvwfkvgFcKKbfdEj2OXG8sCeneCESRdPu/P0wQ+dYaTCSg4OHs7pmWE MYfNZ1uQsCaCKxrGa6vrLYZ9IVx1WI21LXAi8VHVi/ShjA4jfCMkaGbRH6ShfCu0 /RPQJ+M3zgiVzxndXr3SNlG05Hi7vLfmNwyQu0+u+m+oMqAWl3Kjrf372tKTCqPV NFIDg4zGPYkTx2di6jfGynTFME/28x9EgQwCV3iDBH+lm25e3biXx6jwnlkyiYDV oQ9rlaLqvdTCjpyNp2PY =p/dN -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080903181852.GK25990>