Date: Mon, 17 Mar 2014 13:35:55 +0000 From: Frank Leonhardt <freebsd-doc@fjl.co.uk> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Controlling WAN access using natd/ipfw Message-ID: <5326FA3B.7080006@fjl.co.uk>
next in thread | raw e-mail | index | archive | help
I can see a few strategies for doing this, but as I'm about to change a firewall remotely I'd rather have a definitive working example for obvious reasons... :-) The setup is simple. natd and ipfw are currently sharing a public /29 with a private /24. Everything on the LAN can currently do anything likes through the gateway. I want to stop anything on the LAN between 192.168.1.50 and 192.168.1.100 (for example) from getting through the gateway (they can use the proxy). Everything else should be business as usual. Current ipfw script is: /sbin/ipfw add divert natd all from any to any via rl0 /sbin/ipfw add pass all from any to any Which, as a sanity check, leads to: 00100 divert 8668 ip from any to any via rl0 00200 allow ip from any to any 65535 deny ip from any to any I'm having a brain storm here. Should rule 50 be "deny ip from 192.168.1.50-192.168.1.100 to any" I don't even know if it'll buy that kind of IP address list (I suspect not). I know it does CIDR but the range doesn't suit, or a table (which I've never used before, but if I've got the syntax I might just as well add multiple rules as table entries in this case). And I'm completely not sure about what natd does to all of this - never been there before. So - can anyone tell me EXACTLY the line I need? It's four hours of driving if I get it wrong... As a supplementary questions, presumably I can add a port number after the source specification to block individual ports? Thanks, Frank.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5326FA3B.7080006>