IPFW In FreeBSD

Christopher Cowart ccowart at rescomp.berkeley.edu
Wed Sep 3 18:18:52 UTC 2008 

Marcel Grandemange wrote:
> Ok so I know this is a newbie question..
> 
> But ive for years now wanted to know how to only nat certain traffic or maby
> only across a certain ip.
> 
> Ive tried many examples all not working.. Maby im just doing something
> stupid..
> 
> But, below is a example of a machine that is natting everything on em0.
> 
> Id like to know how to change that to everything on say 196.212.65.186
> instead of entire interface.
> 
> Or better yet..
> 
> Stop natting everything and say only nat web traffic.
> 
> Im having issues where certain traffic is being nated that MUSTN be!

If you're running 7.0, you can ditch divert and use the built-in NAT
functionality (you can probably replace the nat rules for divert rules).

You can use source and destination ports and addresses when deciding
what to have ipfw divert/nat. They're rules just like any others. 

Here's what I do:

/etc/ipfw.rules:

| CMD="/sbin/ipfw -q add"
| 
| # Configure NAT
| /sbin/ipfw -q nat 1 config if inet log reset unreg_only same_ports \
|     redirect_port tcp 10.1.10.20:80 80 \
|     redirect_port tcp 10.1.10.20:443 443
| 
| # loopback
| $CMD allow all from any to any via lo0
| $CMD deny log all from 127.0.0.0/8 to any
| 
| # Anti-spoof
| $CMD deny log all from any to any not verrevpath in
| 
| # Catch proto 41 without NATing
| $CMD allow ipv6 from any to me
| 
| # Allow this box to initiate unNATed outbound connections
| $CMD allow ip from me to any keep-state
| 
| # NAT
| $CMD nat 1 ip4 from any to me in via inet
| $CMD nat 1 ip4 from 10.1.10.0/24 to not me out via inet
| 
| # ICMP
| $CMD allow icmp from any to any
| 
| # SSH From local nets
| $CMD allow tcp from 10.1.10.0/24 to me ssh
| 
| # DNS from local nets
| $CMD allow udp from 10.1.10.0/24 to me domain
| 
| # DHCP from local nets
| $CMD allow udp from any to me bootps in via bridge0
| $CMD allow udp from 0.0.0.0 to 255.255.255.255 bootps in via bridge0
| 
| # Deny anything else destined to me
| $CMD deny log ip from any to me
| 
| # But forward any other traffic
| $CMD allow ip4 from any to any

-- 
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080903/75ef8bb2/attachment.pgp

More information about the freebsd-questions mailing list