Frank Leonhardt
2021-04-02 19:17:58 UTC
For longer than I care to remember (FreeBSD 2) I've implemented a
physical asymmetric nat gateway using natd and ipfw. I just do what the
user guide says and it works.
For everything else I tend to use pf because I understand it better than
ipfw. And I use pf and nat the virtual network between jails. When I say
I understand pf better, that's better than ipfw - it doesn't mean I
understand it well!
Am I using ipfw/natd for historical reasons? Can I do the same with pf?
I'm not entirely sure, but I assume natd is a counterpart to ipfw
whereas pf does packet filtering and nat and is a replacement for both.
The FreeBSD documentation favours ipfw.
I'd really appreciate it if someone could tell me what I need to put in
rc.conf and pf.conf to get this working. For example, do I need to
enable the gateway in rc.conf if not using ipfw? I'm guessing not, but
I'm only guessing.
I've seem some complex examples. I'm thinking of going with something
like this. I'm ASSUMING any incoming connections (e.g. ssh) would still
end up on the host running PF, except port 80.
If anyone could sanity check this I'd be very grateful.
----------------------------------------
rc.conf:
defaultrouter="1.2.3.1"
ifconfig_bge0="inet 1.2.3.4 netmask 255.255.255.192"
ifconfig_bge1="inet 192.168.1.1 netmask 255.255.255.0"
pf_enable="yes"
----------------------------------------
pf.conf:
scrub in all
nat pass on bge0 from 192.168.1.0/24 to any -> 1.2.3.4
# Never quite sure with pf - the following may be better
# nat on bge0 from bge1:network to any -> bge0
# Redirect port 80 to internal web server
rdr pass on bge0 proto tcp from any to 1.2.3.4 -> port 80 - 192.168.1.3
----------------------------------------
Thanks, Frank.
physical asymmetric nat gateway using natd and ipfw. I just do what the
user guide says and it works.
For everything else I tend to use pf because I understand it better than
ipfw. And I use pf and nat the virtual network between jails. When I say
I understand pf better, that's better than ipfw - it doesn't mean I
understand it well!
Am I using ipfw/natd for historical reasons? Can I do the same with pf?
I'm not entirely sure, but I assume natd is a counterpart to ipfw
whereas pf does packet filtering and nat and is a replacement for both.
The FreeBSD documentation favours ipfw.
I'd really appreciate it if someone could tell me what I need to put in
rc.conf and pf.conf to get this working. For example, do I need to
enable the gateway in rc.conf if not using ipfw? I'm guessing not, but
I'm only guessing.
I've seem some complex examples. I'm thinking of going with something
like this. I'm ASSUMING any incoming connections (e.g. ssh) would still
end up on the host running PF, except port 80.
If anyone could sanity check this I'd be very grateful.
----------------------------------------
rc.conf:
defaultrouter="1.2.3.1"
ifconfig_bge0="inet 1.2.3.4 netmask 255.255.255.192"
ifconfig_bge1="inet 192.168.1.1 netmask 255.255.255.0"
pf_enable="yes"
----------------------------------------
pf.conf:
scrub in all
nat pass on bge0 from 192.168.1.0/24 to any -> 1.2.3.4
# Never quite sure with pf - the following may be better
# nat on bge0 from bge1:network to any -> bge0
# Redirect port 80 to internal web server
rdr pass on bge0 proto tcp from any to 1.2.3.4 -> port 80 - 192.168.1.3
----------------------------------------
Thanks, Frank.