Try having the very first rule divert ip from any to any to natd Then, you
can configure NATD to only effect RFC1918 packets by adding a -u to the
command line. NAT will take the packet, process it if it's an RFC 1918
address, if not, allow it to pass and then reinject it into the firewall at
rule 2 (or next available rule) and continue processing the ruleset.

Like I described I allready use this flag. The problem with having divert at the top is that I get thrown off my ssh connection every time when I try to reload natd or ipfw. Does it matter if I allow ssh from my network before I divert packets to natd?

I've not been awake for long and have had little to no Mt Dew yet so don't
hold this against me. Without going over this for awhile, which I recommend
when doing a firewall, this may be something in the neighborhood that you're
looking for.

In your /usr/local/etc/

natd -interface xl2  -s -m -u

Or if you start it from rc.conf:

natd_flags="-s -m -u "

I use a natd config file with all these flags so that is taken care of.

The -s tells it to use sockets so that FTP doesn't get broken. You may not
need this.
The -m tells natd to attempt to use the same socket as the originating host.
The -u tells natd to only translate RFC 1918 packets.

In your firewall rules file:

# more fwrules
$fwcmd -f flush
#NATD Divert
$fwcmd add 1 divert natd all from any to any via xl2
#You want blocked outbound ports to match early on in the firewall.
# Blocking ports out to Internet that I don't like:
$fwcmd add 100 deny tcp from any to any 135-139 out via $extif
$fwcmd add 100 deny tcp from any to any 445 out via $extif
#Then your allows:
#Network Allows
$fwcmd add 300 allow ip from any to any via $extif
$fwcmd add 300 allow ip from any to any via $dmxif
$fwcmd add 300 allow ip from any to any via $lanif
$fwcmd add 300 allow ip from any to any via $motorif

Hm.. You really mean I should add that first allow line there? This four rules together is basically the same as ipfw add allow ip from any to any isn't it?

# Allow http to the whole dmz from Internet:
$fwcmd add 400 allow tcp from any to w.x.y.80/28 http via $extif
# Allow smtp and pop3 to the mailserver from Internet:
$fwcmd add 500 allow tcp from any to w.x.y.84 smtp,pop3 via $extif

Aren't these two rules overlapping the first 300 rule?

#Lastly, your denies
#Network Denies
# Default Block
$fwcmd add 65000 deny ip from any to any

Hope this helps you out.

Haven't been able to try them out yet, but I don't feel allowing The first 300 rule will probably help me having the firewall allowing traffic for me, but I wasn't really planning to allow everything in. And will deny rules have effect when the traffic allready is allowed?


_______________________________________________ [EMAIL PROTECTED] mailing list To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to