From owner-freebsd-isp@FreeBSD.ORG Sat Jan 14 20:38:29 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A2FB16A422 for ; Sat, 14 Jan 2006 20:38:29 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C6D543D46 for ; Sat, 14 Jan 2006 20:38:28 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 67B12A5; Sat, 14 Jan 2006 15:38:49 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 2FE17298F; Sat, 14 Jan 2006 15:38:48 -0500 (EST) Received: from brian by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1ExsAK-000K1p-AR; Sat, 14 Jan 2006 20:38:24 +0000 Date: Sat, 14 Jan 2006 20:38:24 +0000 From: Brian Candler To: Alexander Message-ID: <20060114203823.GA56577@uk.tiscali.com> References: <375DD163B075E34EA3C10A6286E34A54C1D4B5@exhsto1.se.dataphone.com> <43C7A18D.8060904@centtech.com> <43C7B008.8060404@matrixhome.net> <20060114131427.GA5349@uk.tiscali.com> <43C9204A.1020401@matrixhome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43C9204A.1020401@matrixhome.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD as Server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2006 20:38:30 -0000 On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote: > I think, that ipfw is native for FreeBSD - it works better than other > packet filters. Am I right? Not really. For NAT in particular, ipfw is pretty awful. You need an external daemon (natd) and have to route packets to and from it, which works fine if you have a very simple configuration (e.g. single external interface, basic NAT-everything-going-out or NAT all RFC1918 address space). More complex scenarios can be an utter nightmare to configure properly. It also has a long history, which means that the configuration syntax isn't always very clean because of backwards compatibility requirements. > When traffic that not be NATed in ng_nat was sent in hook "in" - it must > simply out from it? Or no? Where is trouble? I can't answer that. All I can say is, if you want NAT there is a very simple incantation you can put in /etc/rc.conf: pf_enable="YES" pflog_enable="YES" and in /etc/pf.conf: # replace interface name as appropriate ext_if="fxp0" nat on $ext_if from any to any -> ($ext_if) Start it like this: # /etc/rc.d/pf start # /etc/rc.d/pflog start It should Just Work[TM]. pf is loadable as a module, so you shouldn't even have to recompile your kernel. Regards, Brian.