following configurations should work with nat environment
[code lang=text]
#!/usr/local/bin/env sh #flush out the list before we begin ipfw -q -f flush
set rules command prefix cmd="ipfw -q add" pif="vtnet0" # Interface name of NIC attached to Internet
No restrictions on Loopback Interface $cmd 00010 allow all from any to any via lo0
$cmd 00011 divert natd log all from any to any via $pif $cmd 00012 pass all from any to any
ipfw nat 10 config ip 45.77.191.174 log #ipfw add 00011 nat 10 log ip from 10.0.0.0/16 to any out via $pif #ipfw add 00012 nat 10 log ip from any to 10.0.0.0/16 in via $pif
$cmd 00101 check-state
# allow and log all other outbound connections $cmd 00299 allow log all from any to any out via $pif
# Deny all inbound traffic from non-routable reserved address spaces $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny public pings $cmd 00310 deny icmp from any to any in via $pif
# Deny ident $cmd 00315 deny tcp from any to any 113 in via $pif
# Deny all Netbios services. $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif
# Deny fragments $cmd 00330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table $cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic from ISP's DHCP server. # Replace x.x.x.x with the same IP address used in rule 00120. $cmd 00360 allow udp from any to 45.32.56.1 67 in via $pif keep-state
# Allow HTTP connections to internal web server $cmd 00400 allow tcp from any to me 80 in via $pif setup keep-state $cmd 00401 allow log tcp from any to me 53 in via $pif setup keep-state $cmd 00402 allow log udp from any to me 53 in via $pif setup keep-state
# Allow inbound SSH connections $cmd 00410 allow tcp from any to me 22 in via $pif setup keep-state
allow possible rndc - bind to work in port 953 $cmd 00420 allow tcp from any to me 953 in via $pif setup keep-state
# Reject and log all other incoming connections $cmd 00499 deny log all from any to any in via $pif
# Everything else is denied and logged $cmd 00999 deny log all from any to any
[/code]
this is for natd.conf
[code lang=text]
redirect_port tcp 10.0.0.1:80 80 redirect_port tcp 10.0.0.1:443 443 redirect_port tcp 10.0.0.1:53 53 redirect_port udp 10.0.0.1:53 53
[/code]
reference:
https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
https://www.freebsd.org/cgi/man.cgi?query=natd&sektion=8&manpath=freebsd-release-ports