pf or ipfw for NAT

Frank Leonhardt freebsd-doc at
Fri Apr 2 19:18:02 UTC 2021

For longer than I care to remember (FreeBSD 2)  I've implemented a 
physical asymmetric nat gateway using natd and ipfw. I just do what the 
user guide says and it works.

For everything else I tend to use pf because I understand it better than 
ipfw. And I use pf and nat the virtual network between jails. When I say 
I understand pf better, that's better than ipfw - it doesn't mean I 
understand it well!

Am I using ipfw/natd for historical reasons? Can I do the same with pf? 
I'm not entirely sure, but I assume natd is a counterpart to ipfw 
whereas pf does packet filtering and nat and is a replacement for both. 
The FreeBSD documentation favours ipfw.

I'd really appreciate it if someone could tell me what I need to put in 
rc.conf and pf.conf to get this working. For example, do I need to 
enable the gateway in rc.conf if not using ipfw? I'm guessing not, but 
I'm only guessing.

I've seem some complex examples. I'm thinking of going with something 
like this. I'm ASSUMING any incoming connections (e.g. ssh) would still 
end up on the host running PF, except port 80.

If anyone could sanity check this I'd be very grateful.



ifconfig_bge0="inet netmask"
ifconfig_bge1="inet netmask"




scrub in all

nat pass on bge0 from  to any ->
# Never quite sure with pf - the following may be better
# nat on bge0 from bge1:network to any -> bge0

# Redirect port 80 to internal web server

rdr pass on bge0 proto tcp from any to  -> port 80 -


Thanks, Frank.

More information about the freebsd-questions mailing list