NATD Firewall Rules Setup
chael at southgate.ph.inter.net
chael at southgate.ph.inter.net
Sat Aug 23 21:45:14 PDT 2003
I suggest you complete your ipfw rules basing on "simple" within
/etc/rc.firewall. Substitute variables assuming having natd_enable="YES" and
firewall_enable="YES" on rc.conf.
chael
----- Original Message -----
From: "Thomas Smith" <tom at openadventures.org>
To: <freebsd-questions at freebsd.org>
Sent: Saturday, August 23, 2003 2:40 AM
Subject: NATD Firewall Rules Setup
> I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall
> locked down as I need it to be but am having issues getting NAT working.
> The firewall config file is included below.
>
> Note that if I add the "allow all" rule to the end of the file NAT works
> fine. I'm certain its an IPFW issue but haven't been able to figure it
> out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation
> (preferably with examples of usage) would be very helpful. I haven't
> been able to find a lot of info outside of the Handbook and what I do
> find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow
> all traffic.
>
> # Internal network variables
> iif="rl1"
> inet="192.168.20.0"
> iip="192.168.20.2"
> imask="255.255.255.0"
>
> # External network variables
> oif="rl0"
> onet="216.161.174.0"
> oip="216.161.174.7"
> omask="255.255.255.0"
>
> # Clear current rules
> /sbin/ipfw -f flush
>
> # Allow TCP in, if setup succeeded
> /sbin/ipfw add pass tcp from any to any established
>
> # Allow all local traffic
> /sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1
>
> # Stop spoofing
> /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
> /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the external interface
> /sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif}
> /sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif}
> /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
>
> # Allow internal network traffic
> /sbin/ipfw add pass all from ${iip} to any
> /sbin/ipfw add pass all from ${inet}:${imask} to ${iip}
>
> # Allow NAT traffic out.
> /sbin/ipfw add divert natd all from any to any via ${oif}
>
> # Allow setup of SSH connections
> /sbin/ipfw add pass tcp from any to ${oip} 22 setup
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list