ipfw + NAT doesn't work

Robert Huff roberthuff at rcn.com
Thu Sep 17 14:15:04 UTC 2009 

	I have a machine running

FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 

	It has this in the config file for the running kernel:

options  IPFIREWALL              #firewall
options  IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options  IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options  IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options  IPFIREWALL_NAT          #ipfw kernel nat support
options  LIBALIAS 

	It (10.0.0.1) connects correctly to another machine (10.0.0.3);
I know because .3 mounts one of .1's disks using Samba.
	With the ipfw rules appended below, I can't NAT, nor should I
be able to.  ("em0" faces the Internet; "em1" faces the other
machine.)
	However: using these I still can't get through

ipfw add 5000 nat 15 all from any to any
ipfw nat 15 config log same_ports ip 10.0.0.0/8

	Have I forgotten something?  Or misunderstood something?
	If not ... how do I figure out what's wrong?

	Respectfully,


				Robert Huff



00100  3830   864746 allow ip from any to any via lo0
00200     0        0 deny ip from any to 127.0.0.0/8
00300     0        0 deny ip from 127.0.0.0/8 to any
00350   110    42464 allow udp from any 67-68 to any dst-port 67-68
00600     0        0 allow ip6 from any to any via lo0
00610     0        0 deny ip6 from any to ::1
00620     0        0 deny ip6 from ::1 to any
00630     3      256 allow ip6 from :: to ff02::/16 proto ipv6-icmp
00640     0        0 allow ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
00650     4      304 allow ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
00660     0        0 allow ip6 from 2001:db8:2:1::1 to 2001:db8:2:1::/64
00670     0        0 allow ip6 from 2001:db8:2:1::/64 to 2001:db8:2:1::1
00680     0        0 allow ip6 from fe80::/10 to ff02::/16
00690     0        0 allow ip6 from 2001:db8:2:1::/64 to ff02::/16
00700     0        0 allow ip6 from any to any established proto tcp
00710     0        0 allow ip6 from any to any frag
00720     0        0 allow ip6 from any to 2001:db8:2:1::1 dst-port 25 setup proto tcp
00730     0        0 allow ip6 from 2001:db8:2:1::1 to any setup proto tcp
00740     0        0 deny ip6 from any to any setup proto tcp
00750     0        0 allow ip6 from any 53 to 2001:db8:2:1::1 proto udp
00760     0        0 allow ip6 from 2001:db8:2:1::1 to any dst-port 53 proto udp
00770     0        0 allow ip6 from any 123 to 2001:db8:2:1::1 proto udp
00780     0        0 allow ip6 from 2001:db8:2:1::1 to any dst-port 123 proto udp
00790     0        0 allow ip6 from any to any ip6 icmp6types 1 proto ipv6-icmp
00800     0        0 allow ip6 from any to any ip6 icmp6types 2,135,136 proto ipv6-icmp
06000     0        0 deny log logamount 100 tcp from any to any dst-port 137 in via em0
06050    32     3000 deny log logamount 100 udp from any to any dst-port 137 in via em0
06100     0        0 deny log logamount 100 tcp from any to any dst-port 138 in via em0
06150    15     3465 deny log logamount 100 udp from any to any dst-port 138 in via em0
06200     0        0 deny log logamount 100 tcp from any to any dst-port 139 in via em0
06250     0        0 deny log logamount 100 udp from any to any dst-port 139 in via em0
07000     0        0 deny log logamount 100 tcp from any to any dst-port 111 in via em0
07050     0        0 deny log logamount 100 udp from any to any dst-port 111 in via em0
07100     0        0 deny log logamount 100 tcp from any to any dst-port 530 in via em0
07150     0        0 deny log logamount 100 udp from any to any dst-port 530 in via em0
07200     0        0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0
07225     0        0 deny log logamount 100 udp from any to any dst-port 161 in recv em0
07250     0        0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0
07275     0        0 deny log logamount 100 udp from any to any dst-port 162 in recv em0
07300     0        0 deny log logamount 100 tcp from any to any dst-port 194
07310     0        0 deny log logamount 100 udp from any to any dst-port 194
07320     0        0 deny log logamount 100 tcp from any to any dst-port 529
07330     0        0 deny log logamount 100 udp from any to any dst-port 529
07340     0        0 deny log logamount 100 tcp from any to any dst-port 994
07350     0        0 deny log logamount 100 udp from any to any dst-port 994
07360     0        0 deny log logamount 100 tcp from any to any dst-port 6667
07370     0        0 deny log logamount 100 udp from any to any dst-port 6667
10000 45012 38961511 allow tcp from any to any established
10100  1452   112487 allow ip from any to any out via em0
10200     0        0 allow tcp from 10.0.0.0/8 to any dst-port 80
10300     0        0 allow tcp from any 80 to any dst-port 1024-65535 via em0
10400     0        0 allow tcp from any 443 to any dst-port 1024-65535 via em0
10500     0        0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 80 via em0
10600     0        0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 443 via em0
65000  1548   325720 allow ip from any to any
65535    20     2383 allow ip from any to any

More information about the freebsd-questions mailing list