Date: Wed, 3 Sep 2008 11:18:52 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Marcel Grandemange <thavinci@thavinci.za.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW In FreeBSD Message-ID: <20080903181852.GK25990@hal.rescomp.berkeley.edu> In-Reply-To: <02be01c90da0$e03555d0$a0a00170$@za.net> References: <02be01c90da0$e03555d0$a0a00170$@za.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--f54savKjS/tSNRaU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Marcel Grandemange wrote: > Ok so I know this is a newbie question.. >=20 > But ive for years now wanted to know how to only nat certain traffic or m= aby > only across a certain ip. >=20 > Ive tried many examples all not working.. Maby im just doing something > stupid.. >=20 > But, below is a example of a machine that is natting everything on em0. >=20 > Id like to know how to change that to everything on say 196.212.65.186 > instead of entire interface. >=20 > Or better yet.. >=20 > Stop natting everything and say only nat web traffic. >=20 > Im having issues where certain traffic is being nated that MUSTN be! If you're running 7.0, you can ditch divert and use the built-in NAT functionality (you can probably replace the nat rules for divert rules). You can use source and destination ports and addresses when deciding what to have ipfw divert/nat. They're rules just like any others.=20 Here's what I do: /etc/ipfw.rules: | CMD=3D"/sbin/ipfw -q add" |=20 | # Configure NAT | /sbin/ipfw -q nat 1 config if inet log reset unreg_only same_ports \ | redirect_port tcp 10.1.10.20:80 80 \ | redirect_port tcp 10.1.10.20:443 443 |=20 | # loopback | $CMD allow all from any to any via lo0 | $CMD deny log all from 127.0.0.0/8 to any |=20 | # Anti-spoof | $CMD deny log all from any to any not verrevpath in |=20 | # Catch proto 41 without NATing | $CMD allow ipv6 from any to me |=20 | # Allow this box to initiate unNATed outbound connections | $CMD allow ip from me to any keep-state |=20 | # NAT | $CMD nat 1 ip4 from any to me in via inet | $CMD nat 1 ip4 from 10.1.10.0/24 to not me out via inet |=20 | # ICMP | $CMD allow icmp from any to any |=20 | # SSH From local nets | $CMD allow tcp from 10.1.10.0/24 to me ssh |=20 | # DNS from local nets | $CMD allow udp from 10.1.10.0/24 to me domain |=20 | # DHCP from local nets | $CMD allow udp from any to me bootps in via bridge0 | $CMD allow udp from 0.0.0.0 to 255.255.255.255 bootps in via bridge0 |=20 | # Deny anything else destined to me | $CMD deny log ip from any to me |=20 | # But forward any other traffic | $CMD allow ip4 from any to any --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --f54savKjS/tSNRaU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJIvtUMAAoJEIGh6j3cHUNPsCcP/A++YsDSlALhs9df6+5zPGnA ps4gXX4iJtZA8g7+DgBhP+xWJ+1KvRiHeqeWFr2V6B6eEDp8aOIJPAaZYqr0ik/5 MsnzdLSVB9/9ElUJ07i9nlRXhfNEg8eomenHIL29ogiGQXghsrL4rL0V9TvES9K/ WPC7PLyaYjSOw3GRFXYh2t+VhWtAYNQk3sG9FSJ1lbsdeS1gpW6sHAtaSBC3qXW2 wVoX3QvKzSPAux7gUYRg385l0B/AtnAVBaYsVzeLvLib296j+4QXfPyY/M2aI6+a APyiDA48gcsHzaIqRpUFRTLXRc3TneQ+MICOJHw2LWjhH4C2h4APB8djoVJMjvXw +1z1Gg6scjUFCRWWtovXZ9WjMVRLyt2CrzY3D8FlNYnONIOZXlfgHEMg1eIwKpD+ AaoMyNz67UvwfkvgFcKKbfdEj2OXG8sCeneCESRdPu/P0wQ+dYaTCSg4OHs7pmWE MYfNZ1uQsCaCKxrGa6vrLYZ9IVx1WI21LXAi8VHVi/ShjA4jfCMkaGbRH6ShfCu0 /RPQJ+M3zgiVzxndXr3SNlG05Hi7vLfmNwyQu0+u+m+oMqAWl3Kjrf372tKTCqPV NFIDg4zGPYkTx2di6jfGynTFME/28x9EgQwCV3iDBH+lm25e3biXx6jwnlkyiYDV oQ9rlaLqvdTCjpyNp2PY =p/dN -----END PGP SIGNATURE----- --f54savKjS/tSNRaU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080903181852.GK25990>