From owner-freebsd-questions@FreeBSD.ORG Fri Oct 3 11:28:08 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D692B1065686 for ; Fri, 3 Oct 2008 11:28:08 +0000 (UTC) (envelope-from dominique.goncalves@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 888378FC14 for ; Fri, 3 Oct 2008 11:28:08 +0000 (UTC) (envelope-from dominique.goncalves@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so358385qwb.7 for ; Fri, 03 Oct 2008 04:28:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=2pPT1AL9tW84sfGsdZ+3VxFk54EPx0y/3s8WgT9GJJ4=; b=V4fVkBYBnRHKfDJ/svGTuOlpBX8PS2LABtamIeL8NE0uw7S57ewFrSupzvm1kfJkit 0HweVD25zmqFjon3BlVYWxnlr3f5U58fmJVPyyKj7OX5Yn82r8XdQayiJZLwz5kuV3vs h4I7Y8ikZigsQjS4KYer9dLoK/UTC6eAjjXRg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=wgbo3OAXR1wBJK9qIu39IsH47Wa59EYygcTxD63b/v6TJPbAsAudWkrSQ9ht36tOrC QGXu1LeyGSZZMgAtYCG1rvuGKQA7sqyM7CZco+Sn2gl/7ZBXFeJLIPWRTRfTtuWFRW+F Hn2YkJfk2y4yI7pqlhY7Q1YxszBDW+Qr0llyM= Received: by 10.214.149.5 with SMTP id w5mr1511902qad.71.1223033287683; Fri, 03 Oct 2008 04:28:07 -0700 (PDT) Received: by 10.215.39.4 with HTTP; Fri, 3 Oct 2008 04:28:07 -0700 (PDT) Message-ID: <7daacbbe0810030428g12fd721bw6dcc822f0705b16d@mail.gmail.com> Date: Fri, 3 Oct 2008 13:28:07 +0200 From: "Dominique Goncalves" To: "fire jotawski" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48DA7491.8030002@daleco.biz> <7daacbbe0810020539h530c6306o5f19abf35a68c6ad@mail.gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: nat and firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 11:28:08 -0000 On Fri, Oct 3, 2008 at 5:24 AM, fire jotawski wrote: > > > On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves > wrote: >> >> Hi, >> >> On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski wrote: >> > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey wrote: >> > >> >> FBSD1 wrote: >> >> >> >>> >> >>> natd_enable="YES" This statement in rc.conf enables ipfw nated >> >>> function. >> >>> firewall_nat_enable="YES" This is an invalid statement. No such thing >> >>> as >> >>> you have here. >> >>> >> >> >> >> This is no longer true; he did indeed find "firewall_nat_enable" >> >> in /etc/defaults/rc.conf. The knob seems to have first appeared >> >> in February in HEAD and I'm guessing it cues the system to use a >> >> new kernel-based nat rather than natd(8), but I've not read anything >> >> further about this, as my system isn't as up to date as the OP's. >> >> I don't know when this change was MFC'ed, but apparently fairly >> >> recently? >> >> >> >> I suppose we need someone a tad more "in the know" to straighten >> >> that out for us. >> >> >> > >> > up to this moment, i do not know if natd and firewall_nat function in >> > the >> > same or different. >> > and is there firewall_nat_flags thing too ? >> >> I'll try to explain, >> >> natd_* knobs are for natd(8), a daemon >> firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel >> >> firewall_nat_* was added in the begenning of year in RELENG_7 >> >> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 >> >> The NAT configuration is done by /etc/rc.firewall, you can read this >> file to know how the configuration is done. >> >> This is two different ways to do NAT. I can't speak about performance, >> kernel vs daemon. > > many thanks indeed for your clear explanations. > so we simply use just one of them but not both, do not we ? Yes. > once again, i appreciate all of your kind asistances in my case. > > with best regards, > psr > > Regards. -- There's this old saying: "Give a man a fish, feed him for a day. Teach a man to fish, feed him for life."