ipfw and nat problem

Chuck Swiger cswiger at mac.com
Mon Jul 18 19:05:33 UTC 2011 

On Jul 18, 2011, at 11:53 AM, David van Rensburg - PC Network wrote:
> Yes sorry - I suppose I was assuming that goes without saying.

Well, you can't design working firewall rulesets with unstated requirements.

> Will open 443 for https and close 80 and do a transparent squid proxy
> which I got to wkr.

You need to permit *both* 80 and 443, either directly or via the Squid proxy.

> I just cant seem to understand in and out.
> Does in mean INTO the BOX or into the specific interface what happens if
> you don¹t specify an interface when u say in or out?
> OR does in mean into the internal network from outside or just into the
> box?
> 
> Please just elaborate on that for me ?

In refers to incoming traffic to the box running IPFW (and also NAT'ed traffic which gets re-written by natd to your internal clients); out refers to traffic generated from the box (and/or from NAT traffic from internal machines via natd).  If that doesn't make sense, consider using "recv", "xmit", and "via ifX" instead:

     recv | xmit | via {ifX | if* | ipno | any}
             Matches packets received, transmitted or going through, respec-
             tively, the interface specified by exact name (ifX), by device
             name (if*), by IP address, or through some interface.

             The via keyword causes the interface to always be checked.  If
             recv or xmit is used instead of via, then only the receive or
             transmit interface (respectively) is checked.  By specifying
             both, it is possible to match packets based on both receive and
             transmit interface, e.g.:

                   ipfw add deny ip from any to any out recv ed0 xmit ed1

             The recv interface can be tested on either incoming or outgoing
             packets, while the xmit interface can only be tested on outgoing
             packets.  So out is required (and in is invalid) whenever xmit is
             used.

             A packet may not have a receive or transmit interface: packets
             originating from the local host have no receive interface, while
             packets destined for the local host have no transmit interface.

Regards,
-- 
-Chuck

More information about the freebsd-ipfw mailing list