Hello Friend First I agree with you the FBSD handbook documentation on firewall software sucks big time. It leads the reader into believing that ipfw is the only solution when it is not. FBSD is delivered with ipfw and IPFILTER which are both firewall software applications. The second thing that the sparse ipfw documentation falls to say, is an firewall that does not use stateful rules is not very secure. The real show stopper is ipfw with stateful rules using the 'keep state' option does not work when used with the divert/nated legacy sub-routine. What this means is ipfw with stateful rules can only be used if 'user ppp -nat' is how you connect to the public internet.
IPFILTER 's stateful rules work fine, and it has it's own external ipnat function. I strongly recommend you drop ipfw and instead use IPFILTER as it's the superior firewall software solution from the ease of use of stateful rules. If you use 'user ppp" to connect to the public internet and want to continue to use ipfw, I have ipfw stateful rule set I can send you. If you want to use IPFILTER, I can sent of an rule set for it also along with links to doc sites. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eugene Panchenko Sent: Sunday, February 01, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: NAT and IPFW rules Hallo! Out from reading the manpage for natd, I have a question about how to restrict IPFW access for NAT for the case when I have one computer connected directly to another one (having two NICs installed into it)? That means that I don't have to care about big private network, but rather want to narrow down the access to single private IP address. For NAT to work, two rules need to be added: ipfw add divert natd all from any to any via xl0 Can this rule be restricted (is it possible to divert not every packets)? Right now, every packet that enters/leaves the system is diverted, sometimes natd process eats quite a lot of processor resources. Can this be avoided? How? ipfw add pass all from any to any How can this be restricted? I basically need only outgoing stuff working, that's all, and silently passing any packets from whatever location to any destination is insecure to me. Can someone post a live examples of such setup? Waiting to hear from some gurus ;) -- Eugene --------------------------------------------------------- Размер почтовых ящиков увеличен до 25 мегабайт! ПОЧТА НГС - http://ngs.ru/ _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"