Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Aug 2003 11:40:50 -0700
From:      Thomas Smith <tom@openadventures.org>
To:        freebsd-questions@freebsd.org
Subject:   NATD Firewall Rules Setup
Message-ID:  <3F4663B2.1030004@openadventures.org>
next in thread | raw e-mail | index | archive | help 
I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall 
locked down as I need it to be but am having issues getting NAT working. 
The firewall config file is included below.

Note that if I add the "allow all" rule to the end of the file NAT works 
fine. I'm certain its an IPFW issue but haven't been able to figure it 
out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation 
(preferably with examples of usage) would be very helpful. I haven't 
been able to find a lot of info outside of the Handbook and what I do 
find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow 
all traffic.

# Internal network variables
iif="rl1"
inet="192.168.20.0"
iip="192.168.20.2"
imask="255.255.255.0"

# External network variables
oif="rl0"
onet="216.161.174.0"
oip="216.161.174.7"
omask="255.255.255.0"

# Clear current rules
/sbin/ipfw -f flush

# Allow TCP in, if setup succeeded
/sbin/ipfw add pass tcp from any to any established

# Allow all local traffic
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1

# Stop spoofing
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the external interface
/sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif}
/sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif}
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}

# Allow internal network traffic
/sbin/ipfw add pass all from ${iip} to any
/sbin/ipfw add pass all from ${inet}:${imask} to ${iip}

# Allow NAT traffic out.
/sbin/ipfw add divert natd all from any to any via ${oif}

# Allow setup of SSH connections
/sbin/ipfw add pass tcp from any to ${oip} 22 setup

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4663B2.1030004>