NATD Firewall Rules Setup

chael at chael at
Sat Aug 23 21:45:14 PDT 2003

I suggest you complete your ipfw rules basing on "simple" within
/etc/rc.firewall. Substitute variables assuming having natd_enable="YES" and
firewall_enable="YES" on rc.conf.


----- Original Message -----
From: "Thomas Smith" <tom at>
To: <freebsd-questions at>
Sent: Saturday, August 23, 2003 2:40 AM
Subject: NATD Firewall Rules Setup

> I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall
> locked down as I need it to be but am having issues getting NAT working.
> The firewall config file is included below.
> Note that if I add the "allow all" rule to the end of the file NAT works
> fine. I'm certain its an IPFW issue but haven't been able to figure it
> out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation
> (preferably with examples of usage) would be very helpful. I haven't
> been able to find a lot of info outside of the Handbook and what I do
> find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow
> all traffic.
> # Internal network variables
> iif="rl1"
> inet=""
> iip=""
> imask=""
> # External network variables
> oif="rl0"
> onet=""
> oip=""
> omask=""
> # Clear current rules
> /sbin/ipfw -f flush
> # Allow TCP in, if setup succeeded
> /sbin/ipfw add pass tcp from any to any established
> # Allow all local traffic
> /sbin/ipfw add pass all from to
> # Stop spoofing
> /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
> /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
> # Stop RFC1918 nets on the external interface
> /sbin/ipfw add deny all from to any via ${oif}
> /sbin/ipfw add deny all from to any via ${oif}
> /sbin/ipfw add deny all from to any via ${oif}
> # Allow internal network traffic
> /sbin/ipfw add pass all from ${iip} to any
> /sbin/ipfw add pass all from ${inet}:${imask} to ${iip}
> # Allow NAT traffic out.
> /sbin/ipfw add divert natd all from any to any via ${oif}
> # Allow setup of SSH connections
> /sbin/ipfw add pass tcp from any to ${oip} 22 setup
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list