help wanted with NAT under ipfw

Robert Huff roberthuff at rcn.com
Fri Apr 30 08:58:47 UTC 2010 

	I have been trying to get NAT working under ipfw on:

FreeBSD 9.0-CURRENT #0: Fri Apr 23 11:34:17 EDT 2010 amd64 

	and failing.
	The ipfw part works fine.  I'm using:

ipfw_load="YES"
ipfw_nat_load="YES"	# in-kernel ipfw nat
libalias_load="YES"	# for in-kernel ipfw nat

	my ipfw rules are appended.
	However, the moment I do this:

ipfw add 5000 nat 15 all from any to any
ipfw nat 15 config log same_ports if em0

	the machine is cut off from the outside world.  Removing that
rule makes things right again.  (Obviously checking whether NAT is
happening is useless.)
	I've read the man page; I've read the Handbook.  Neither are
helpful.
	What am I doing wrong?

	Respectfully,


				Robert Huff



00100 7620493 3374930631 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
00350   71122   27155575 allow udp from any 67-68 to any dst-port 67-68
06000       0          0 deny log tcp from any to any dst-port 137 in via em0
06050      32       3000 deny log udp from any to any dst-port 137 in via em0
06100       0          0 deny log tcp from any to any dst-port 138 in via em0
06150    1597     382354 deny log udp from any to any dst-port 138 in via em0
06200       0          0 deny log tcp from any to any dst-port 139 in via em0
06250       0          0 deny log udp from any to any dst-port 139 in via em0
07000       0          0 deny log tcp from any to any dst-port 111 in via em0
07050       0          0 deny log udp from any to any dst-port 111 in via em0
07100       0          0 deny log tcp from any to any dst-port 530 in via em0
07150       0          0 deny log udp from any to any dst-port 530 in via em0
07200       0          0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0
07225       0          0 deny log logamount 100 udp from any to any dst-port 161 in recv em0
07250       0          0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0
07275       0          0 deny log logamount 100 udp from any to any dst-port 162 in recv em0
07300       0          0 deny log tcp from any to any dst-port 194
07310       0          0 deny log udp from any to any dst-port 194
07320       0          0 deny log tcp from any to any dst-port 529
07330       0          0 deny log udp from any to any dst-port 529
07340       0          0 deny log tcp from any to any dst-port 994
07350       0          0 deny log udp from any to any dst-port 994
07360     129       5160 deny log tcp from any to any dst-port 6667
07370       3        603 deny log udp from any to any dst-port 6667
10000 2013254  824670340 allow tcp from any to any established
10100  234210   17681782 allow ip from any to any out via em0
10200     265      12720 allow tcp from 10.0.0.0/8 to any dst-port 80
10300       0          0 allow tcp from any 80 to any dst-port 1024-65535 via em0
10400       0          0 allow tcp from any 443 to any dst-port 1024-65535 via em0
10500       0          0 deny log tcp from any 1024-65535 to any dst-port 80 via em0
10600       0          0 deny log tcp from any 1024-65535 to any dst-port 443 via em0
65000  253161   38669952 allow ip from any to any
65535      12       1157 deny ip from any to any

More information about the freebsd-ipfw mailing list