From owner-freebsd-questions@FreeBSD.ORG Sun Dec 7 14:32:08 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 60B8C8E0 for ; Sun, 7 Dec 2014 14:32:08 +0000 (UTC) Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 102279A6 for ; Sun, 7 Dec 2014 14:32:07 +0000 (UTC) Received: by mail-wg0-f43.google.com with SMTP id l18so4396536wgh.16 for ; Sun, 07 Dec 2014 06:32:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nileshgr.com; s=google; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=8a1oYkKWmK1lRYXBFkpkKHKnDfF6TlQiVyqvb12qMcs=; b=a3k/W9yd+ap8ELRDEJzwngSlsFVjR35NOxQqGr89z+S8+LnR5dfjU6j5353AWVVraF mabxIrEfWvSahTpdqdQJqQHOZU9WMuxSXtMasZL5PoPPduSs8+h+ZMfUeN7h0CCLc6v8 WwoKBvjwD82yFcPxOZF+ZnjC+JGtBaRDk3UrM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=8a1oYkKWmK1lRYXBFkpkKHKnDfF6TlQiVyqvb12qMcs=; b=Qx7Z808+WgHlHmwkR0fttOWaUnPPdMIYy7qRDAiz9dlU8wwH92Br/N72zYMUW4xOXY LPo+7i3mzr84VYoUcjDylc+S9SOl9e1oLed70LYVMYx/nLebQUXnW71MiwSPNHV/JXeA QpwUogfwClwo17SUixo4me9JogH6dlgHVCrOkZO69DcxZWbqvPb+qK5KA8yrFJYVM/pZ odwMFz2Saf6XlG6BzEbx9iarYCDENRriwBNkhQAKRvJM+e88hXWwPis14bMYGsHmlbnj q5I2lsRqaVe3kztdXuyxE0+hJdXKLv3mre0cNTAj9GEuSLRXTrs+8ZxDsrKrMQwC5uKF XPpg== X-Gm-Message-State: ALoCoQk/djeAPeK8/DuKjdY1KnvN3MLUsySuboWkBrWDrkoaT2EHgVclaxwia3IgdtJOVQBlScIS X-Received: by 10.194.94.233 with SMTP id df9mr37509851wjb.46.1417962726180; Sun, 07 Dec 2014 06:32:06 -0800 (PST) Received: from ?IPv6:2001:470:1f13:d18::11? (i5.d.nileshgr.com. [2001:470:1f13:d18::11]) by mx.google.com with ESMTPSA id jr4sm12606110wjc.20.2014.12.07.06.32.04 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Dec 2014 06:32:05 -0800 (PST) Message-ID: <5484649E.8040208@nileshgr.com> Date: Sun, 07 Dec 2014 20:00:54 +0530 From: Nilesh Govindrajan User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: IPFW NAT with filtering References: <54841B6D.7030901@nileshgr.com> In-Reply-To: <54841B6D.7030901@nileshgr.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2014 14:32:08 -0000 On Sunday 07 December 2014 02:48 PM, Nilesh Govindrajan wrote: > Hi, > > I'm trying to implement NAT using IPFW for jails. Each jail has an ip in > 10.0.0.0/8 subnet, I want to NAT from that private range. > > The server has multiple public IPs and some jails may have direct > assignment of public ip. > > I'm using workstation in firewall_type and I tried this: > > ipfw add 49 nat 123 from any to in > ipfw add 50 nat 123 from 10.0.0.0/8 to any out via > ipfw nat 123 config ip > > Then there are rules inserted by rc.firewall > > This doesn't work and I'm a bit clueless as to why it doesn't. > > I should be able to restrict the outgoing traffic (i.e., limit the > outgoing ports to 22,80,443,etc -- preventing torrents / etc). > > Where am I going wrong? > Never mind, figured it out.