For the past year using (kernel) NAT together with FWD rules in ipfw has walked across my brain more often than I like to admit. But everytime I was not able to grab the concept sufficiently to get it right and make them work together. Finally today in the train, trying all sorts of combinations, pondering why it still did not work, I finally got it: If I cannot make the rules on the NAT and FWD match, I should match first, use skipto and then apply NAT and FWD to all traffic that passes in that block of firewall rules!
# NAT and forward both need to process the same packets ipfw -q disable one_pass ipfw -q -f flush ipfw -q nat 123 config if em1 ipfw -q add skipto 1000 all from any to not 192.168.1.0/24 ipfw -q add skipto 65534 all from any to any ipfw -q add 1000 nat 1 all from any to any ipfw -q add 1100 fwd 192.168.178.1 all from any to any
where 192.168.178.1 is the gateway on em1. Now, this recipe is still missing the inbound NAT, performance considerations due to applying NAT multiple times on the packet, and probably much more, but the basic nut on how to format the ipfw ruleset has been cracked. The roost has left the nest. Policy Based Routing, here we come!
Note: after disabling ‘nat’ rules are no longer terminating the rule set, but ‘fwd’ rules are!