IPFW NAT and FWD combined

For the past year using (kernel) NAT together with FWD rules in ipfw has walked across my brain more often than I like to admit strattera dosage. But everytime I was not able to grab the concept sufficiently to get it right and make them work together. Finally today in the train, trying all sorts of combinations, pondering why it still did not work, I finally got it: If I cannot make the rules on the NAT and FWD match, I should match first, use skipto and then apply NAT and FWD to all traffic that passes in that block of firewall rules!

Example:

# NAT and forward both need to process the same packets
ipfw -q disable one_pass
ipfw -q -f flush
ipfw -q nat 123 config if em1
ipfw -q add skipto 1000 all from any to not 192.168.1.0/24
ipfw -q add skipto 65534 all from any to any
ipfw -q add 1000 nat 1 all from any to any
ipfw -q add 1100 fwd 192.168.178.1 all from any to any

where 192.168.178.1 is the gateway on em1. Now, this recipe is still missing the inbound NAT, performance considerations due to applying NAT multiple times on the packet, and probably much more, but the basic nut on how to format the ipfw ruleset has been cracked. The roost has left the nest. Policy Based Routing, here we come!

Note: after disabling ‘nat’ rules are no longer terminating the rule set, but ‘fwd’ rules are!

EuroBSDCon 2013

EuroBSDCon mascot

Smiling and helpful as usual, your BSD daemon

And there it was! All geeks unite! BSD lovers from all over Europe and the rest of the world gathered in Malta to discuss what was going on in the world of FreeBSD, NetBSD, and OpenBSD. The talks where better than ever (only 42 out of 75 submissions made it into the 3 tracks on 2 days).

Most impressive for me was the number of people using NanoBSD as a tool to provide their server, embedded systems, and node installations. But also in-depth discussions of fundamental issues like 64-bit time_t, security technologies, and performance enhancement). And of course the fun talks by the BSD veterans McKusick and phk. All in all a good BSDCOn. See you next year!