nat and ipfw, port forwarding

usleepless at usleepless at
Sun Dec 28 15:39:22 UTC 2008

Hi Richard,

On Sun, Dec 28, 2008 at 2:30 AM, Richard Yang <kusanagiyang at>wrote:

> thank you, usleep (nice name)i somehow made it work by
> 1. add "redirect_port udp 50000" in natd.conf
> 2. allow all traffic and diversion in ipfw.rules
> i tried to limit the traffic by modifying the rules in ipfw.rules,
> but unsuccessfully. so i just leave it be at this moment.
> i am very confused by the roles of natd and ipfw, and how they should work
> together.

As far as i understand it ( anyone please correct me if i am wrong ) :

There are two types of NAT in FreeBSD to choose from:

1. Natd, which is a userspace daemon. You need to include a divert rule in
your ipfw-config which looks like this:

#ipfw add 100 divert natd all from any to any via $oif ( $oif stands for
outside-interface )

After your packet has been diverted to natd, the NATed package is inserted
once again into the firewall to be checked again.

Port redirection etc is configured in natd.conf.

2. Kernel NAT, which is part of IPFW.

This is what i was referring to in my last message. You set it up through
rc.conf ( see man page ).

There is no need for a divert-rule.

Port redirection etc is configured with ipnat ( store your config in
/etc/ipnat.conf ).

And please, do not top-post.



> rich
> On Sat, Dec 27, 2008 at 8:40 AM, <usleepless at> wrote:
>> Hi Ricard,
>> On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang <kusanagiyang at>wrote:
>>> hi,
>>> i have a ssh machine behind a freebsd firewall with nat and ipfw.
>>> how do i make port forwarding so internet can access the ssh machine?
>>> thanx
>> i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this
>> is a example definition:
>> rdr em1 port 2223 -> port 22
>> ( this redirects incoming traffic on outside-interface em1 port 2223 to an
>> internal machine on port 22 )
>> also, include "firewall_nat_enable" in your rc.conf ( read 'man rc.conf' )
>> to configure the settings from ipnat.conf, run "ipnat -C -f
>> /etc/ipnat.conf"
>> regards,
>> usleep

More information about the freebsd-questions mailing list