Controlling WAN access using natd/ipfw
Frank Leonhardt
freebsd-doc at fjl.co.uk
Mon Mar 17 14:00:29 UTC 2014
I can see a few strategies for doing this, but as I'm about to change a
firewall remotely I'd rather have a definitive working example for
obvious reasons... :-)
The setup is simple. natd and ipfw are currently sharing a public /29
with a private /24. Everything on the LAN can currently do anything
likes through the gateway.
I want to stop anything on the LAN between 192.168.1.50 and
192.168.1.100 (for example) from getting through the gateway (they can
use the proxy). Everything else should be business as usual.
Current ipfw script is:
/sbin/ipfw add divert natd all from any to any via rl0
/sbin/ipfw add pass all from any to any
Which, as a sanity check, leads to:
00100 divert 8668 ip from any to any via rl0
00200 allow ip from any to any
65535 deny ip from any to any
I'm having a brain storm here. Should rule 50 be "deny ip from
192.168.1.50-192.168.1.100 to any"
I don't even know if it'll buy that kind of IP address list (I suspect
not). I know it does CIDR but the range doesn't suit, or a table (which
I've never used before, but if I've got the syntax I might just as well
add multiple rules as table entries in this case). And I'm completely
not sure about what natd does to all of this - never been there before.
So - can anyone tell me EXACTLY the line I need? It's four hours of
driving if I get it wrong...
As a supplementary questions, presumably I can add a port number after
the source specification to block individual ports?
Thanks, Frank.
More information about the freebsd-questions
mailing list