IPFW Iptables to IPFW


New Member

Messages: 4

Hi all,

I am new to BSD coming from the Linux world (Debian and Ubuntu).
Most of the software and tools I used on debian I already tested on Freebsd and i9t's working quite well. I have one thing I used on a Debian server I did not find a solution yet.

On my old Debian I used a routing command with IPTABLES

iptables -t nat -A POSTROUTING -o igb0 -j MASQUERADE
On BSD i guess IPFW would be the right command but I am not really sure to be honest. Can someone help to translate this command?

Thanks a lot



Active Member

Thanks: 36
Messages: 111

If you're debating which of the three firewalls to use: coming from the world of iptables I settled on ipfw() because of its similarities (IMO), and I'm glad I did. However, because of ipfw()'s extensive feature set, its syntax can be a bit more challenging than the others when writing really complex or advanced rules. The simple allow|deny rules are straightforward, though.


New Member

Messages: 4

Hi all,

thanks a lot for all the information :)

If you're debating which of the three firewalls to use: coming from the world of iptables I settled on ipfw()
That would be also my plan. As I am completely new in BSD and also in those kind of Networking / Firewall configurations I am a bit struggling with the manual.
I assume that the NATD() Daemon would be the right one. I understood how to enable this in the rc.conf and to define the interface

gateway_enable="YES"        # enables the gateway
natd_enable="YES"        # enables NAT
natd_interface="igb0"   # Interface on my system that is connected to the internet
However now I am a bit lost to define the right rules to enable the routing form igb0 to all the other Interfaces. Any advice on how to start?

Thanks S


Aspiring Daemon

Thanks: 188
Messages: 751

We have documentation for this of course :)

The concept is really straight forward. More is described in the Handbook linked above, but quick intro is:

I am computer, I have packet to send, what I will do?
- Is it for local network address (mask is used here, that /24 or for example). If it is, get MAC for this address and send directly.
- If not, is it for network I know route to? If it is, send it to gateway for given network. Routing tables are used here, you can see them by netstat -r command. End user computer usually has only few entries related to local network(s).
- If both previous answers was negative, send it to default gateway.

And what about receiving? If packet is for me, process it, else drop it. And here start magic. If you enable gateway (which turns forwarding sysctl on on boot, see link above), it can be said in really simplified way, that such machine treats others computers packets as its own and apply procedure described above on them instead of dropping them.

However, it is not enough if you have address not routable on internet (private addresses like 192.168.x.x etc., see RFC 1918). With such address, computer at destination would not be able to reply to you (besides fact that all routers on route should drop it on its way there already). So here magic part two start. With NAT enabled, router change source address in the packet header to its own (and keep information about it to reverse it for returning packets), because it is for sure, that device which will get this packet know route back. This may be done several times, consider following example

Home computer address <------------> Home router internal interface|Home router external interface <------------------------> Internet provider interface facing customer|Providers network|Providers interface facing internet with "public" address

In the example above, all addresses, excluding last, are not internet routable. Only last one is (Google DNS used as example here), so there would be at least two address translations, at home router and somewhere in the ISP network.