Date: Thu, 11 Jun 2015 19:49:06 -0700 From: John Reynolds <johnjen@reynoldsnet.org> To: freebsd-net@freebsd.org Subject: question on NAT + IPFW Message-ID: <557A48A2.4090805@reynoldsnet.org>
next in thread | raw e-mail | index | archive | help
Hello all, I've read in sections 30.4.4 and 30.4.3 of the handbook about
using IPFW and I've got some clarification questions.
1) When you're using any sort of firewall rules outside the
open/client/simple/closed, etc. pre-canned types in rc.firewall, but
instead using rules from a file, the way I read the handbook, you MUST
use specific "nat" rules (divert natd) in your ipfw file along with
setting "natd_enable" to YES. Correct?
2) In the example found in 30.4.4 where it is using "stateful" rules, it
made specific mention that the "nat" stuff needed to be placed after the
rules to allow traffic in on the trusted interface but before the
"check-state" rule. Given that, if I wanted to completely block off one
of my local addresses would I also do it *before* the "divert natd" rule?
I have a situation where I need to just simply "block all traffic" from
some teenagers' mobile devices after a certain period of the day (don't
ask .... teenagers......). So, would that rule look like this:
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 020 deny log all from 192.168.1.20 to any via xl0 # new rule
$cmd 100 divert natd ip from any to any in via $pif # NAT any
inbound packets
$cmd 101 check-state
(assuming 192.168.1.20 was the internal IP address for the mobile device
I want to thwart)
Would this accomplish what I'm hoping for? I currently don't have any
real FW to speak of--ipfw is there but the type is "open," so I'm trying
to learn as I go along in order to setup an actual firewall for this box
@ the same time.
Thanks in advance,
-Jr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557A48A2.4090805>