Date: Sat, 14 Jan 2006 20:38:24 +0000 From: Brian Candler <B.Candler@pobox.com> To: Alexander <shulik_freebsd@matrixhome.net> Cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD as Server Message-ID: <20060114203823.GA56577@uk.tiscali.com> In-Reply-To: <43C9204A.1020401@matrixhome.net> References: <375DD163B075E34EA3C10A6286E34A54C1D4B5@exhsto1.se.dataphone.com> <43C7A18D.8060904@centtech.com> <43C7B008.8060404@matrixhome.net> <20060114131427.GA5349@uk.tiscali.com> <43C9204A.1020401@matrixhome.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote:
> I think, that ipfw is native for FreeBSD - it works better than other
> packet filters. Am I right?
Not really. For NAT in particular, ipfw is pretty awful. You need an
external daemon (natd) and have to route packets to and from it, which works
fine if you have a very simple configuration (e.g. single external
interface, basic NAT-everything-going-out or NAT all RFC1918 address space).
More complex scenarios can be an utter nightmare to configure properly.
It also has a long history, which means that the configuration syntax isn't
always very clean because of backwards compatibility requirements.
> When traffic that not be NATed in ng_nat was sent in hook "in" - it must
> simply out from it? Or no? Where is trouble?
I can't answer that. All I can say is, if you want NAT there is a very
simple incantation you can put in /etc/rc.conf:
pf_enable="YES"
pflog_enable="YES"
and in /etc/pf.conf:
# replace interface name as appropriate
ext_if="fxp0"
nat on $ext_if from any to any -> ($ext_if)
Start it like this:
# /etc/rc.d/pf start
# /etc/rc.d/pflog start
It should Just Work[TM]. pf is loadable as a module, so you shouldn't even
have to recompile your kernel.
Regards,
Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060114203823.GA56577>