Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Mar 2012 03:43:10 +1100 (EST)
From:      Ian Smith <>
To:        Da Rock <>
Subject:   Re: newbie IPFW user
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, 11 Mar 2012 08:55:53 +1000, Da Rock wrote:
 > On 03/11/12 02:28, Ian Smith wrote:
 > > On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote:
 > >   >  On 03/10/12 19:47, Julian Elischer wrote:
 > >   >  >  On 3/9/12 6:39 AM, Da Rock wrote:
 > >   >  I'm using it for voip currently (and vpn on the same client): voip requires
 > >   >  5060 remote _and_ connection ports, and needs to be forwarded as is
 > >   >  (excepting ip address) and not appear to be natted os as not to confuse the
 > >   >  client. VPN uses 500/4500 and requires an untouched packet payload (ipsec).
 > > 
 > > So this particular box has its own unique external routable IP address,
 > > distinct from the router's external IP?  Does it also want to do regular
 > > NAT for other than VoIP/VPN port traffic?  Just trying to follow ..

 > NP. I have only one external address (considered more, but nothing has quite
 > convinced me as yet to part with more moula for them), and the binat only
 > works for these services (ipsec/l2tp/vpn/voip), but essentially it appears
 > this box is in the open - directly on the external address. However, I can
 > still send other services (smtp/imap/www/dns) to other boxes.

Ah, I thought pf.conf(5) implied it was for a separate external address?  

So apart from needing static NAT for those services it's pretty standard 
looks like?  I haven't done just that myself so should shuttup here, but 
would likely tend to use a separate nat instance for those, with some 
rules before and after the NAT to keep that traffic distinct from the 
more general mapping for other clients, to be sure other clients don't 
get to use those ports 'accidentally' (beating same_ports to the punch)

 > The firewall is also running the show with ppp as well, the modem is running
 > 'dumb'.

Way to go.  I prefer mpd for PPPoE, toss a coin.

 > From other posts, I'd say static NAT could be what I'm looking for. I'll give
 > it a shot anyway...

Let us know.

 > >   >  Are there any sources for documentation on the advanced uses of ipfw?
 > > I
 > >   >  stumbled on just one that goes into more detail so far
 > >   >
 > > 
 > > I vaguely recall that one from years ago.  " could
 > > not be found. Please check the name and try again." tonight anyway.

 > I said this before: what can I say? It works for me... :) I just used it
 > tonight, so I can't say what would be going on (planets aligned, or
 > something?).

Or something.  Even digging @ its listed primary nameserver is broken.

; <<>> DiG 9.6.-ESV-R3 <<>> @NS1.ERUDITION.NET any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5627
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;             IN      ANY

But google found from Romania :)

This looks very like one of Joe Barbish's expositions; it contains many 
of the same factual errors and questionable advice as the IPFW section 
in the Handbook, and it only covers FreeBSD 4 anyway.  Truly, ipfw(8) is 
pretty near complete and authoritative, and rc.firewall is a much better 
basis for a good firewall; a smart boy like you can handle the truth :)

cheers, Ian

[PS whitespace, like a smile, costs nothing; who prints email anymore?]

Want to link to this message? Use this URL: <>