From owner-freebsd-questions@FreeBSD.ORG Sun Dec 14 15:38:13 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3981716A4CF for ; Sun, 14 Dec 2003 15:38:13 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC73343D36 for ; Sun, 14 Dec 2003 15:38:10 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 2A6AE123; Sun, 14 Dec 2003 17:38:10 -0600 (CST) Date: Sun, 14 Dec 2003 17:38:10 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20031214233809.GS64340@seekingfire.com> References: <1120787753.20031215004154@vkt.lt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.5.1i Subject: Re: ipnat+ipfw + 3 gateways X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 23:38:13 -0000 On Sun, Dec 14, 2003 at 06:01:08PM -0500, fbsd_user wrote: > I think you are confused. IPNAT is part of ipfilter firewall and > IPFW is an different firewall who has his own NATD function. You can > not use one part from one and the other part from the other one. > They work as an set, IPNAT/IPFILTER or IPFW/NATD. Your best bet is > to use IPNAT and it's firewall IPFILTER. Not necessarily true. I'm using IPF for packet filtering, IPNAT for NAT, and IPFW for traffic shaping on the same firewall. The order that a packet is mangled becomes important, but that's solved simply by being careful when designing the firewall. -T -- Draw bamboos for ten years, become a bamboo, then forget all about bamboos when you are drawing. Georges Duthuit