From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 08:58:47 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D1061065670 for ; Fri, 30 Apr 2010 08:58:47 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 22AEB8FC26 for ; Fri, 30 Apr 2010 08:58:46 +0000 (UTC) Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 04:58:46 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id QRK03526; Fri, 30 Apr 2010 04:58:11 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp01.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 04:58:12 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19418.39843.266203.180601@jerusalem.litteratus.org> Date: Fri, 30 Apr 2010 04:58:11 -0400 To: ipfw@freebsd.org X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr02.lnh.mail.rcn.net) Cc: roberthuff@rcn.com Subject: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 08:58:47 -0000 I have been trying to get NAT working under ipfw on: FreeBSD 9.0-CURRENT #0: Fri Apr 23 11:34:17 EDT 2010 amd64 and failing. The ipfw part works fine. I'm using: ipfw_load="YES" ipfw_nat_load="YES" # in-kernel ipfw nat libalias_load="YES" # for in-kernel ipfw nat my ipfw rules are appended. However, the moment I do this: ipfw add 5000 nat 15 all from any to any ipfw nat 15 config log same_ports if em0 the machine is cut off from the outside world. Removing that rule makes things right again. (Obviously checking whether NAT is happening is useless.) I've read the man page; I've read the Handbook. Neither are helpful. What am I doing wrong? Respectfully, Robert Huff 00100 7620493 3374930631 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00350 71122 27155575 allow udp from any 67-68 to any dst-port 67-68 06000 0 0 deny log tcp from any to any dst-port 137 in via em0 06050 32 3000 deny log udp from any to any dst-port 137 in via em0 06100 0 0 deny log tcp from any to any dst-port 138 in via em0 06150 1597 382354 deny log udp from any to any dst-port 138 in via em0 06200 0 0 deny log tcp from any to any dst-port 139 in via em0 06250 0 0 deny log udp from any to any dst-port 139 in via em0 07000 0 0 deny log tcp from any to any dst-port 111 in via em0 07050 0 0 deny log udp from any to any dst-port 111 in via em0 07100 0 0 deny log tcp from any to any dst-port 530 in via em0 07150 0 0 deny log udp from any to any dst-port 530 in via em0 07200 0 0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0 07225 0 0 deny log logamount 100 udp from any to any dst-port 161 in recv em0 07250 0 0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0 07275 0 0 deny log logamount 100 udp from any to any dst-port 162 in recv em0 07300 0 0 deny log tcp from any to any dst-port 194 07310 0 0 deny log udp from any to any dst-port 194 07320 0 0 deny log tcp from any to any dst-port 529 07330 0 0 deny log udp from any to any dst-port 529 07340 0 0 deny log tcp from any to any dst-port 994 07350 0 0 deny log udp from any to any dst-port 994 07360 129 5160 deny log tcp from any to any dst-port 6667 07370 3 603 deny log udp from any to any dst-port 6667 10000 2013254 824670340 allow tcp from any to any established 10100 234210 17681782 allow ip from any to any out via em0 10200 265 12720 allow tcp from 10.0.0.0/8 to any dst-port 80 10300 0 0 allow tcp from any 80 to any dst-port 1024-65535 via em0 10400 0 0 allow tcp from any 443 to any dst-port 1024-65535 via em0 10500 0 0 deny log tcp from any 1024-65535 to any dst-port 80 via em0 10600 0 0 deny log tcp from any 1024-65535 to any dst-port 443 via em0 65000 253161 38669952 allow ip from any to any 65535 12 1157 deny ip from any to any