Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 Jun 2009 23:41:25 -0400
From:      "Systems Engineering Group" <>
Subject:   Re: Any *Working* Examples of kernel-based (IPFW2-based) NAT onFreeBSD 7.1-STABLE?
Message-ID:  <1246246885.8710.239.camel@localhost>
References:  <> <1246244218.8710.237.camel@localhost>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
The natd command should use the -interface switch, or -n however, the
best ways to become informed about natd is to simply run a man natd and
read the part about "Running natd," because you will get more out of it.

man ipfw is also very informative.

On Sun, 2009-06-28 at 22:56 -0400, Systems Engineering Group wrote:
> I don't know why you are attempting to be so "eligant" which is a
> smart-guy way of saying making something more complex by leaving out
> certain things that are still relivant, but "messy" as an experienced
> person would see it) if you are new to the methods.  
> First, you need to make sure that natd is doing its job, by making sure
> that you have natd turned on, and that it is using the correct
> interface.
> Second, when you have verified that the natd configuration is accurate,
> and usable, the kernel needs to be verified to have the correct options,
> and that the ipfw rules, setup.
> You only need divert, and ipfirewall, with ipfirewall_verbose if you
> want logging.
> With these kernel options in place, you need to compile and install the
> kernel correlative to these installed kernel options for the firewalling
> functionality, with divertion to work.
> Given these aspects of the system are installed, then you only need to
> place a natd divert rule into the script for your ipfw-centric firewall.
> An example would be to start natd with the following included in either
> commandline options, or config file referenced at commandline call to
> natd (natd -f /path/to/natd/config) 
> at the commandline, or requisite init script: natd -i $divert_iface -d
> This should start natd with the -i switch giving indication to natd what
> device is used to be translated (from/to).
> After verfication of initialization of the natd daemon via `sockstat |
> grep natd` you should then test divert rules within your ipfw script, or
> via dynamic rules that you sent at commandline.
> The simplest way to test the operation of the divert rules is to do the
> following.
> ipfw add 100 pass log tcp from any to any in via $divert_iface
> #The traffic coming into the external ip addresss will be "diverted" to
> the internal network ip range.
> ipfw add 200 divert natd ip from any to any in via $divert_iface
> ## 
> #Rules 201-499 will be used to filter on the internal addresses after
> being mangled by the kernel. 
> #They will now look like they are going to #the internal address, not
> the external ip address, so internal-ip-based 
> #rules will be affective at this time.
> ##
> #This rule will divert traffic going from the internal network to the
> external network
> ipfw add 500 divert natd ip from any to any out via $divert_iface
> This is a very brief view of an example that works with freebsd.
> I would stay away from the complex "elegant" solutions that you
> referenced in your original post, on or about June 14th, until you
> verify that your solution is working properly.
> Check out the handbook, and the information on firewalling on
> and the freebsd handbook.
> I am just doing a datadump of my own experience right now, so if you
> have any further questions, then just post them and we can take a look.
> The setup is not very difficult, once you have the basics down.
> I have about thirty rules in my script, but about 20 of them have to do
> with filtering different stuff, which is merely skipto to a deletion
> rule with logging.  
> ipfw and natd are not very difficult to use, however, that simplicity is
> also what makes it such a powerful network appliance solution.  I have
> heard the ipnat + netfilter is supposedly more powerful solution,
> because ipnat does certain things better than natd, however, that is
> something for further exploration, and I have not had a need to do so,
> as of yet.
> I hope this assists your in your setup endeavor.
> Respectfully,
> Martes

Want to link to this message? Use this URL: <>