Code:
---
# ifconfig rl0
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet XXX.XXX.XXX.69 netmask 0xfffffe00 broadcast 255.255.255.255
ether 00:c0:f0:54:c0:bd
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
---
# ifconfig rl1
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 169.254.75.1 netmask 0xffffff00 broadcast 169.254.75.255
ether 00:50:ba:5f:0c:d4
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
---
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default XXX.XXX.XXX.1 UGS 0 4 rl0
XXX.XXX.XXX/23 link#1 UC 0 0 rl0
XXX.XXX.XXX.1 00:1a:2f:8b:30:05 UHLW 2 0 rl0 1190
127.0.0.1 127.0.0.1 UH 0 0 lo0
169.254.75/24 link#2 UC 0 0 rl1
169.254.75.254 00:1f:33:cd:a9:59 UHLW 2 194 rl1 1160
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#3 UHL lo0
ff01:3::/32 fe80::1%lo0 UC lo0
ff02::%lo0/32 fe80::1%lo0 UC lo0
---
# pgrep -lf natd
419 natd -same_ports -use_sockets -dynamic -interface rl0
---
# ipfw show
00010 0 0 allow ip from any to any via lo0
00020 0 0 deny ip from any to 127.0.0.0/8
00030 0 0 deny ip from 127.0.0.0/8 to any
00040 0 0 deny tcp from any to any frag
00050 0 0 check-state
00060 685 69553 allow tcp from any to any established
00070 9 697 allow ip from any to any out keep-state
00080 1 61 allow icmp from any to any
00130 3 180 allow tcp from any to any dst-port 22 in
00140 0 0 allow tcp from any to any dst-port 22 out
00170 0 0 allow udp from any to any dst-port 53 in
00175 0 0 allow tcp from any to any dst-port 53 in
00180 0 0 allow udp from any to any dst-port 53 out
00185 0 0 allow tcp from any to any dst-port 53 out
00200 0 0 allow tcp from any to any dst-port 80 in
00210 0 0 allow tcp from any to any dst-port 80 out
00341 2 80 divert 8668 ip from any to me in recv rl0
00342 0 0 allow ip from any to 169.254.75.0/24 in recv rl0
00343 0 0 allow ip from any to 169.254.75.0/24 out xmit rl1
00344 0 0 allow ip from 169.254.75.0/24 to any in recv rl1
00345 0 0 divert 8668 ip from 169.254.75.0/24 to any out xmit rl0
00346 0 0 allow ip from me to any out xmit rl0
00500 52 19988 deny log logamount 10 ip from any to any
65535 0 0 allow ip from any to any
I wasn't sure what level to put the nat divert rules at, I tried putting them at the beginning and at the end.