question on NAT + IPFW

Guido Falsi mad at
Fri Jun 12 06:49:43 UTC 2015

On 06/12/15 04:49, John Reynolds wrote:
> Hello all, I've read in sections 30.4.4 and 30.4.3 of the handbook about
> using IPFW and I've got some clarification questions.
> 1) When you're using any sort of firewall rules outside the
> open/client/simple/closed, etc. pre-canned types in rc.firewall, but
> instead using rules from a file, the way I read the handbook, you MUST
> use specific "nat" rules (divert natd) in your ipfw file along with
> setting "natd_enable" to YES. Correct?

Yes and no, with modern ipfw I'd suggest you use in kernel nat in place
of userspace nat, it's orders of magnitude faster and can bear much
higher loads. Documentation about it in the handbook is a lacking unluckily.

You need to configure it with a command like:

ipfw -q nat 1 config if pppoe0 same_ports

this configures one instance.

then use it like this:

ipfw add 1000 nat 1 all from any to any in via pppoe0

it's almost the same as with natd, jut a sligthly different syntax. it's
documented in ipfw(8).

> 2) In the example found in 30.4.4 where it is using "stateful" rules, it
> made specific mention that the "nat" stuff needed to be placed after the
> rules to allow traffic in on the trusted interface but before the
> "check-state" rule. Given that, if I wanted to completely block off one
> of my local addresses would I also do it *before* the "divert natd" rule?

Depends on how your firewall is structured, you should place any
stateful rule(usually allow ones) after check-state, and block
rules(which are not stateful usually) before it. This also helps
lowering the firewall load, although with modern hardware it's really
necessary to optimize firewalls only on fast links. For residential
connectivity you're not likely to have speed problems in handling packets.

> I have a situation where I need to just simply "block all traffic" from
> some teenagers' mobile devices after a certain period of the day (don't
> ask .... teenagers......). So, would that rule look like this:
>     $cmd 005 allow all from any to any via xl0 # exclude LAN traffic
>     $cmd 010 allow all from any to any via lo0 # exclude loopback traffic
>     $cmd 020 deny log all from to any via xl0    # new rule
>     $cmd 100 divert natd ip from any to any in via $pif # NAT any
> inbound packets
>     $cmd 101 check-state
> (assuming was the internal IP address for the mobile device
> I want to thwart)
> Would this accomplish what I'm hoping for? I currently don't have any
> real FW to speak of--ipfw is there but the type is "open," so I'm trying
> to learn as I go along in order to setup an actual firewall for this box
> @ the same time.

looks correct, assuming xl0 is your internal interface (better put it in
a variable and use the variable in your rules imho)

Making a complex ruleset requires some work and testing, it's not easy
to get it right the first time, especially when one starts using it.

Hope this helps!

Guido Falsi <mad at>

More information about the freebsd-net mailing list