The FreeBSD Diary

The FreeBSD Diary (TM) Remember
I remember

Things look quiet here. But I've been doing a lot of blogging at because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

NAT rules - for IP Filter 12 January 1999
Need more help on this topic? Click here
This article has 8 comments
Show me similar articles
NAT, or Network Address Translation, is also referred to as IP Aliasing and IP Masquerading.  NAT is a method for translating internal intranet (private) address to external (public) Internet addresses.

In order for NAT to work, your box needs to be set up as a gateway.  This allows your box to forward packets, which is what it does when it acts as a gateway.  It receives packets from other machines on your subnet and forwards them on to the ultimate destination.  You can enable packet forwarding by issuing the following command:

sysctl -w net.inet.ip.forwarding=1

You can tell FreeBSD to set your box up as a gateway by including the following line in /etc/rc.conf:


This line will ensure the command is executed during the system startup process.

Example NAT rules
I'm using ipfilter and I recommend it as a great packet filter tool for creating a firewall.  Included with this product is ipnat, which does the NAT for ipfilter.  Here's how I invoke ipnat:
ipnat -f /etc/ipnat.conf

I am also using DHCP.  In such circumstances, you can substitute for the otherwise unknown IP address.  ipfilter will determine the address at run time.  Although this example is for dynamic IP addressees, I'm not sure, but I strongly suspect that this will work for static addresses as well.  Here are the contents of /etc/ipnat.conf:

map ed0 -> portmap tcp/udp 40000:65000
map ed0 ->

ed0 is the network which leads to the outside world. represents the inside network.  If you are setting up a home network, I suggest you use 192.168.0.* for your subnet.  In this case, the above examples will work for you.   If they don't, then please add your comments.

Put these rules before any redirects (i.e. rdr).

I also used this ipnat rule for a short while to redirect traffic from the firewall to a computer on my internal LAN:
rdr tun0 port 80 -> port 80

Where tun0 is the public interface on my firewall and is a box on my internal LAN which is running a webserver.  The above goes into /etc/ipnat.conf.

NOTE: Do your redirection after your mapping.  That is, put the rdr after any map directives.

Need more help on this topic? Click here
This article has 8 comments
Show me similar articles