question on NAT + IPFW

Guido Falsi mad at
Fri Jun 12 06:59:47 UTC 2015

On 06/12/15 08:49, Guido Falsi wrote:
> On 06/12/15 04:49, John Reynolds wrote:
>> I have a situation where I need to just simply "block all traffic" from
>> some teenagers' mobile devices after a certain period of the day (don't
>> ask .... teenagers......). So, would that rule look like this:
>>     $cmd 005 allow all from any to any via xl0 # exclude LAN traffic
>>     $cmd 010 allow all from any to any via lo0 # exclude loopback traffic
>>     $cmd 020 deny log all from to any via xl0    # new rule
>>     $cmd 100 divert natd ip from any to any in via $pif # NAT any
>> inbound packets
>>     $cmd 101 check-state
>> (assuming was the internal IP address for the mobile device
>> I want to thwart)
>> Would this accomplish what I'm hoping for? I currently don't have any
>> real FW to speak of--ipfw is there but the type is "open," so I'm trying
>> to learn as I go along in order to setup an actual firewall for this box
>> @ the same time.
> looks correct, assuming xl0 is your internal interface (better put it in
> a variable and use the variable in your rules imho)

Forgot one thing, working around this block is as easy as changing the
machine IP, teenager can learn this easily and it can be done in a lot
of ways, even if they are not root(or equivalent) on their machine, they
can just boot from a CD with some live OS. You could have a better block
by also checking the MAC address, like this:

$cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0

(not tested)

MAC addresses can be modified too but it's somewhat more difficult.

Guido Falsi <mad at>

More information about the freebsd-net mailing list