IPFW Firewall NAT inbound port-redirect

Michael Sierchio kudzu at tenebras.com
Tue Jul 12 15:43:09 UTC 2011

Is there a way of specifying a particular public address if there is
more than one bound to the external interface?  A la

nat 123 config if re0.2 log same_ports redirect_port tcp


On Tue, Jul 12, 2011 at 5:19 AM, Bill Tillman <btillman99 at yahoo.com> wrote:
> ________________________________
> From: Dan Nelson <dnelson at allantgroup.com>
> To: Michael Sierchio <kudzu at tenebras.com>
> Cc: freebsd-questions at freebsd.org
> Sent: Mon, July 11, 2011 1:07:31 PM
> Subject: Re: IPFW Firewall NAT inbound port-redirect
> In the last episode (Jul 11), Michael Sierchio said:
>> Sorry for the naive question, but most of my old rulesets still use
>> natd, and I've only used built-in nat for outbound traffic.  I'd like
>> to redirect certain ports on certain addresses to the same ports on
>> internal (RFC1918) addresses.  The examples in the man page aren't
>> helpful, and the handbook still seems very natd-centric in its
>> examples.  Thanks in advance.
> I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface
> corresponding to my internet connection) :
> nat 123 config if re0.2 log same_ports redirect_port tcp 22
> add nat 123 ip from any to any via re0.2
> , which redirects incoming port 22 connections to  If you want to
> redirect more ports, add more "redirect_port tcp host:port port" expressions
> to the end of your nat line.  I believe you can run the nat config command
> manually with a new list (as in "ipfw nat 123 ...") to add/remove entries
> dynamically.  I'm not at home to try it, and don't want to risk losing my
> remote connection if I mess up :)
> --
>     Dan Nelson
>     dnelson at allantgroup.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> I have used IPFW for many years now. As for forwarding traffic from your
> gateway to internal machines I've always used the following in my
> /etc/natd.conf file:
> dynamic
> redirect_port tcp 80 # Apache Webserver inside my LAN
> redirect_port udp 1194 # OpenVPN Port
> redirect_port tcp 443   # OpenVPN Port
> Of course you will need a line like this in your /etc/rc.conf to get natd to
> read this file:
> natd_flags="-f /etc/natd.conf"

More information about the freebsd-questions mailing list