From owner-freebsd-questions@FreeBSD.ORG Mon Mar 17 14:00:29 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5FCFECC8 for ; Mon, 17 Mar 2014 14:00:29 +0000 (UTC) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 12E3480E for ; Mon, 17 Mar 2014 14:00:28 +0000 (UTC) Received: from [192.168.1.35] (host86-150-244-178.range86-150.btcentralplus.com [86.150.244.178]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id s2HDZqda007589 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES128-SHA bits=128 verify=NO) for ; Mon, 17 Mar 2014 13:35:52 GMT (envelope-from freebsd-doc@fjl.co.uk) Message-ID: <5326FA3B.7080006@fjl.co.uk> Date: Mon, 17 Mar 2014 13:35:55 +0000 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: Controlling WAN access using natd/ipfw Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 14:00:29 -0000 I can see a few strategies for doing this, but as I'm about to change a firewall remotely I'd rather have a definitive working example for obvious reasons... :-) The setup is simple. natd and ipfw are currently sharing a public /29 with a private /24. Everything on the LAN can currently do anything likes through the gateway. I want to stop anything on the LAN between 192.168.1.50 and 192.168.1.100 (for example) from getting through the gateway (they can use the proxy). Everything else should be business as usual. Current ipfw script is: /sbin/ipfw add divert natd all from any to any via rl0 /sbin/ipfw add pass all from any to any Which, as a sanity check, leads to: 00100 divert 8668 ip from any to any via rl0 00200 allow ip from any to any 65535 deny ip from any to any I'm having a brain storm here. Should rule 50 be "deny ip from 192.168.1.50-192.168.1.100 to any" I don't even know if it'll buy that kind of IP address list (I suspect not). I know it does CIDR but the range doesn't suit, or a table (which I've never used before, but if I've got the syntax I might just as well add multiple rules as table entries in this case). And I'm completely not sure about what natd does to all of this - never been there before. So - can anyone tell me EXACTLY the line I need? It's four hours of driving if I get it wrong... As a supplementary questions, presumably I can add a port number after the source specification to block individual ports? Thanks, Frank.