# IPF & IPNAT New Installation



## CharlieLimaHotel (Jul 27, 2011)

With a Checkpoint cluster on it's last legs, and no money to spend, I have taken it upon myself to attempt to replace the cluster with a FreeBSD box.  I have worked with FreeBSD before, but not in this area.  I have read the FreeBSD guide on IPFilter and IPNAT as well as several sources online.

After configuration, an attempt to install the box into production it failed.

My scenario:

I have a FreeBSD box, with 3 interfaces (Public, DMZ & Internal).  My primary use is for WWW access to about 15 websites my company hosts.  We have an entire class C address space assigned to us by our Internet provider.  My IPF ruleset is simple, blocking everything except port 80 to my DMZ.  I believe I have a good handle on IPF.  I am able to turn certain services "on" to the Public (SSH, ICMP) and "off" as required.  I am able to ping other hosts on all 3 networks, so I know the interfaces are setup correctly.

My dilema:

When the box was attempted to be put into production, I could not access my websites.  

I do not think I have a very good handle on IPNAT as the configuration seems simple and straight forward (but does not work).

Questions:

How does FreeBSD know it is respondsible for the NAT'ing of the IP address not assigned to the interface, but set in the IPNAT.rules?

Do the IP's that will be NAT'd need to be assigned to the external Interface?

Other Info:

IPF enabled
IPNAT enabled
Gateway_enabled

I REALLY do appreciate anyone taking their time to read my long post.  I feel I am so close to replacing Checkpoint with FreeBSD (Yeah!), but I am just "missing something".

Thanks again.


----------



## SirDice (Jul 27, 2011)

So you're replacing a cluster of firewalls with a single box? Ever heard of the expression "Single Point of Failure"?

I would suggest using at least 2 FreeBSD machines, both configured with carp(4) and making full use of PF and pfsync(4).


----------

