question on NAT + IPFW

John Reynolds johnjen at
Fri Jun 12 02:49:14 UTC 2015

Hello all, I've read in sections 30.4.4 and 30.4.3 of the handbook about
using IPFW and I've got some clarification questions.

1) When you're using any sort of firewall rules outside the
open/client/simple/closed, etc. pre-canned types in rc.firewall, but
instead using rules from a file, the way I read the handbook, you MUST
use specific "nat" rules (divert natd) in your ipfw file along with
setting "natd_enable" to YES. Correct?

2) In the example found in 30.4.4 where it is using "stateful" rules, it
made specific mention that the "nat" stuff needed to be placed after the
rules to allow traffic in on the trusted interface but before the
"check-state" rule. Given that, if I wanted to completely block off one
of my local addresses would I also do it *before* the "divert natd" rule?

I have a situation where I need to just simply "block all traffic" from
some teenagers' mobile devices after a certain period of the day (don't
ask .... teenagers......). So, would that rule look like this:

    $cmd 005 allow all from any to any via xl0 # exclude LAN traffic
    $cmd 010 allow all from any to any via lo0 # exclude loopback traffic

    $cmd 020 deny log all from to any via xl0    # new rule

    $cmd 100 divert natd ip from any to any in via $pif # NAT any
inbound packets
    $cmd 101 check-state

(assuming was the internal IP address for the mobile device
I want to thwart)

Would this accomplish what I'm hoping for? I currently don't have any
real FW to speak of--ipfw is there but the type is "open," so I'm trying
to learn as I go along in order to setup an actual firewall for this box
@ the same time.

Thanks in advance,


More information about the freebsd-net mailing list