From owner-freebsd-questions  Tue Jan 30 18:57:44 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from easynet-gw.netvalue.fr (unknown [212.180.121.161])
	by hub.freebsd.org (Postfix) with ESMTP id D2BC437B69D
	for <freebsd-questions@freebsd.org>; Tue, 30 Jan 2001 18:57:24 -0800 (PST)
Received: from mail.netvalue.fr (unknown [192.168.1.13])
	by easynet-gw.netvalue.fr (Postfix) with ESMTP id B7A658C42
	for <freebsd-questions@freebsd.org>; Wed, 31 Jan 2001 03:59:27 +0100 (CET)
Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr
          (Netscape Messaging Server 3.6)  with ESMTP id AAA1B6B
          for <freebsd-questions@freebsd.org>;
          Wed, 31 Jan 2001 03:57:06 +0100
Received: from erwan.netvalue.fr ([192.168.100.100]) by
          mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP
          id G80AV900.OJR; Wed, 31 Jan 2001 10:57:09 +0800 
Received: from netvalue.com (localhost [127.0.0.1])
	by erwan.netvalue.fr (Postfix) with ESMTP
	id 31EF81A53; Wed, 31 Jan 2001 10:57:10 +0800 (HKT)
Message-ID: <3A777F06.7BD592FA@netvalue.com>
Date: Wed, 31 Jan 2001 10:57:10 +0800
From: Erwan Arzur <erwan@netvalue.com>
Organization: NetValue Ltd.
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en, fr-FR
MIME-Version: 1.0
To: jim@bedlam.demon.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw vs ipf (again)
References: <tt7e7t84lbmitdtkjtuu29ff56is6582rl@4ax.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Jim Hatfield wrote:
 
> - packet forwarding, in support of a transparent http proxy. I can't
> see an equivalent of ipfw fwd, which will change the next hop address
> but leave the packet untouched (unless it's the fastroute feature,
> though it doesn't seem intended for this).

look at the rdr feature of ipnat. I've no experience with it though.
From man 5 ipnat

      rdr    that  is  used  for  redirecting  packets to one IP
              address and port pair to another;

> 
> - selective NAT'ing. I want to only NAT packets which are headed to
> the Internet. Packets for our DMZ, on the "outside" interface of the
> router, and to our other offices via a VPN gateway, shouldn't be
> NAT'ed. ipfw makes this fairly easy but it didn't look so simple with
> ipf.
> 

Uh ? again, man 5 ipnat. You don't need to specify any ipf rule in order
to do that.

map <external i/f> <internal network> -> <external address>

Isn't it selective enough ?
--
Erwan Arzur
NetValue ltd.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message