From owner-freebsd-questions Sat Mar 11 14:19:12 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 13B9A37B920 for ; Sat, 11 Mar 2000 14:19:07 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id RAA24483; Sat, 11 Mar 2000 17:24:41 -0500 (EST) (envelope-from cjc) Date: Sat, 11 Mar 2000 17:24:41 -0500 From: "Crist J. Clark" To: Sam Carleton Cc: FreeBSD Questions Subject: Re: ipfw is not working Message-ID: <20000311172441.B24340@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <38C9D32F.E8F2254A@miltonstreet.com> <20000311123542.B23514@cc942873-a.ewndsr1.nj.home.com> <38CA9F0F.8A8F89F5@miltonstreet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38CA9F0F.8A8F89F5@miltonstreet.com>; from scarleton@miltonstreet.com on Sat, Mar 11, 2000 at 02:32:46PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Mar 11, 2000 at 02:32:46PM -0500, Sam Carleton wrote: > > > "Crist J. Clark" wrote: > > > On Sat, Mar 11, 2000 at 12:02:36AM -0500, Sam Carleton wrote: > > > I am working on building a firewall script. First off, I have a > > > ipchains script that is working fine in Linux, is there some way to > > > eaily convert that over to ipfw? > > > > As long as you have not built any custom chains, I think ipchains > > rules can be converted to ipfw rules in a one-to-one manner (they are > > both stateless packet filters) for a firewall that does not do NAT. > > I'm not sure what happens when you start doing NAT (or as Linux calls > > it, IP masquerading). > > Wait a second here. My understanding is that NAT and IP Masquerading are > different. From my understanding, with IP Masq there only needs to be one valid > IP address, that on the external card of the firewall. With IP Masq gives all > out going requests the one external IP address. With NAT, there needs to be one > external IP address for every machine that wants to get to the Internet. > Considering most folks at home only have one external IP address, they would > want to use IP Masq. I have also heard IP Masq called PAT. > > Looking at page 506 of the 3rd edition of "The Complete FreeBSD", it looks like > FreeBSD uses the terminology IP aliasing for what Linux folks call IP Masq. Am > I correct? No. NAT only needs one registered IP address on the external interface. If it required a one-to-one mapping, it'd be rather useless. See the natd(8) manpage. Also see RFC 1631 and other RFCs related to NAT if interested. (BTW, there are no RFCs about "IP masquerading." No idea if there are differences.) -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message