# pf rules help for allowing limited NAT access



## rlorentz (May 20, 2011)

Here's exact details of my configuration:

Firewall/DNS Server: 192.168.2.1 (local lan) which routes out to the internet.  <-- NOT UNDER MY CONTROL
My FreeBSD Server: 192.168.2.23 (LAN) 

"Inside" of my server, I have a jail. (I will have more, once my firewall rules are working..)  I'm setting this up using ezjail, and that much is working.  I want to assign it an alias on my FreeBSD server's loopback device lo0, and to give this jail ip of 127.0.0.10

So far in my /etc/pf.conf, the following is working:


```
# allow the outside world or internet to hit my FreeBSD server on 6500, and send this traffic to 6500
# verified through nc -l 6500 inside the jail, and telnet in from outside world
rdr pass on em0 inet proto tcp from any to 192.168.2.23 port = 6500 -> 127.0.0.10 port 6500
```

However, I have 2 more needs:

1) The jail must be able to send TCP traffic to any INTERNET IP (not 192.* or 127.*) on ports 5555 or 7070 or TBD
2) The jail must be able to send TCP traffic to 192.168.2.1 on the DNS port only (I MUST use this as an NS because of the way the main firewall out of my control is set up, I cannot change that)

And I have no idea how to set up pf to do this.  Any help would be appreciated.  Exact pf.conf lines would be EXTREMELY appreciated.  I'm not a networking guy, I have read many many faqs and man pages on this, and it always ends up I'm either following the pf >4.5 syntax or I'm totally confused by what they are digging in to.  What I list here is literally everything my "firewall" needs to do so it's frustrating to do so much research and only get 1/3 of it going.. this seems like a very basic use-case


Supporting info:


In rc.conf I've set up:


```
defaultrouter="192.168.2.1"
ifconfig_em0="inet 192.168.2.23  netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 127.0.0.10 netmask 255.255.255.0"
pf_enable="YES"
gateway_enable="YES"            # Enable as LAN gateway
```

My ifconfigs give me:


```
server# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:fc:6f:48
	inet 192.168.2.23 netmask 0xffffff00 broadcast 192.168.2.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
	inet 127.0.0.10 netmask 0xffffff00 
	nd6 options=3<PERFORMNUD,ACCEPT_RTADV>


jail# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:fc:6f:48
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet 127.0.0.10 netmask 0xffffff00
```


----------



## rlorentz (May 22, 2011)

```
allowed_bounce_ports="{ 21, 23 }"

nat on em0 from 127.0.0.10 to 192.168.2.1 port = domain -> em0
nat on em0 from 127.0.0.10 to !192.168.0.0/24 port $allowed_bounce_ports -> em0

rdr pass on em0 inet proto tcp from any to 192.168.2.23 port = 6500 -> 127.0.0.10 port 6500
```
Thanks to jhell on freenode #freebsd


----------

