NAT and IPFW rules

JJB Barbish3 at
Mon Feb 2 07:09:29 PST 2004

Hello Friend

First I agree with you the FBSD handbook documentation on firewall
software sucks big time. It leads the reader into believing that
ipfw is the only solution when it is not. FBSD is delivered with
ipfw and IPFILTER which are both firewall software applications. The
second thing that the sparse ipfw documentation falls to say, is an
firewall that does not use stateful rules is not very secure. The
real show stopper is ipfw with stateful rules using the 'keep state'
option does not work when used with the divert/nated legacy
sub-routine. What this means is ipfw with stateful rules can only be
used if 'user ppp -nat' is how you connect to the public internet.

IPFILTER 's stateful rules work fine, and it has it's own external
ipnat function.  I strongly recommend you drop ipfw and instead use
IPFILTER as it's the superior firewall software solution from the
ease of use of stateful rules.

If you use 'user ppp" to connect to the public internet and want to
continue to use ipfw, I have ipfw stateful rule set I can send you.

If you want to use IPFILTER, I can sent of an rule set for it also
along with links to doc sites.

-----Original Message-----
From: owner-freebsd-questions at
[mailto:owner-freebsd-questions at]On Behalf Of Eugene
Sent: Sunday, February 01, 2004 11:15 AM
To: questions at
Subject: NAT and IPFW rules


Out from reading the manpage for natd, I have a question about how
to restrict IPFW access for NAT for the case when I have one
computer connected directly to another one (having two NICs
installed into it)? That means that I don't have to care about big
private network, but rather want to narrow down the access to single
private IP address.

For NAT to work, two rules need to be added:

    ipfw add divert natd all from any to any via xl0

Can this rule be restricted (is it possible to divert not every
packets)? Right now, every packet that enters/leaves the system is
diverted, sometimes natd process eats quite a lot of processor
resources. Can this be avoided? How?

    ipfw add pass all from any to any

How can this be restricted? I basically need only outgoing stuff
working, that's all, and silently passing any packets from whatever
location to any destination is insecure to me. Can someone post a
live examples of such setup?

Waiting to hear from some gurus ;)

Размер почтовых ящиков увеличен до 25 мегабайт!

freebsd-questions at mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list