# IPFW +natd



## manti (Sep 22, 2011)

Hello
Why the Internet in a LAN does not work?


/etc/rc.conf

```
rl0=IP_PUBLIC
rl1=192.168.20.1(LAN)

#FIREWALL
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.skrpt"
firewall_logging="YES"
#firewall_type="OPEN"
firewall_quiet="NO"
firewall_flags=""
natd_enable="YES"
natd_program="/sbin/natd"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
```
/etc/ipfw.script

```
IPF="ipfw -q add"
ipfw -q -f flush
ipfw nat 1 config if rl0
ipfw add divert natd all from any to any via rl0
#ipfw add pass all from any to any
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
# statefull
$IPF 50 check-state
$IPF 55 allow all from any to any via rl0
$IPF 60 allow tcp from any to any established
$IPF 61 allow tcp from any to me dst-port 1194 setup
$IPF 62 allow udp from any to me dst-port 1194
$IPF 63 allow udp from me to any
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 211 allow tcp from any to any 143 in
$IPF 212 allow tcp from any to any 143 out
$IPF 213 allow tcp from any to any 443 in
$IPF 214 allow tcp from any to any 443 out
$IPF 215 allow tcp from any to any 554 in
$IPF 216 allow udp from any to any 554 out
$IPF 220 allow tcp from any to any 993 in
$IPF 221 allow tcp from any to any 993 out
$IPF 222 allow tcp from any to any 995 in
$IPF 223 allow tcp from any to any 995 out
# deny and log everything
$IPF 500 deny log all from any to any
```

/etc/natd.conf

```
interface rl0
use_sockets yes
same_ports yes
```


----------

