I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall locked down as I need it to be but am having issues getting NAT working. The firewall config file is included below.

Note that if I add the "allow all" rule to the end of the file NAT works fine. I'm certain its an IPFW issue but haven't been able to figure it out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation (preferably with examples of usage) would be very helpful. I haven't been able to find a lot of info outside of the Handbook and what I do find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow all traffic.

# Internal network variables
iif="rl1"
inet="192.168.20.0"
iip="192.168.20.2"
imask="255.255.255.0"

# External network variables
oif="rl0"
onet="216.161.174.0"
oip="216.161.174.7"
omask="255.255.255.0"

# Clear current rules
/sbin/ipfw -f flush

# Allow TCP in, if setup succeeded
/sbin/ipfw add pass tcp from any to any established

# Allow all local traffic
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1

# Stop spoofing
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the external interface
/sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif}
/sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif}
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}

# Allow internal network traffic
/sbin/ipfw add pass all from ${iip} to any
/sbin/ipfw add pass all from ${inet}:${imask} to ${iip}

# Allow NAT traffic out.
/sbin/ipfw add divert natd all from any to any via ${oif}

# Allow setup of SSH connections
/sbin/ipfw add pass tcp from any to ${oip} 22 setup



_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to