Date: Sat, 11 Mar 2000 17:24:41 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Sam Carleton <scarleton@miltonstreet.com> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw is not working Message-ID: <20000311172441.B24340@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <38CA9F0F.8A8F89F5@miltonstreet.com>; from scarleton@miltonstreet.com on Sat, Mar 11, 2000 at 02:32:46PM -0500 References: <38C9D32F.E8F2254A@miltonstreet.com> <20000311123542.B23514@cc942873-a.ewndsr1.nj.home.com> <38CA9F0F.8A8F89F5@miltonstreet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 11, 2000 at 02:32:46PM -0500, Sam Carleton wrote: > > > "Crist J. Clark" wrote: > > > On Sat, Mar 11, 2000 at 12:02:36AM -0500, Sam Carleton wrote: > > > I am working on building a firewall script. First off, I have a > > > ipchains script that is working fine in Linux, is there some way to > > > eaily convert that over to ipfw? > > > > As long as you have not built any custom chains, I think ipchains > > rules can be converted to ipfw rules in a one-to-one manner (they are > > both stateless packet filters) for a firewall that does not do NAT. > > I'm not sure what happens when you start doing NAT (or as Linux calls > > it, IP masquerading). > > Wait a second here. My understanding is that NAT and IP Masquerading are > different. From my understanding, with IP Masq there only needs to be one valid > IP address, that on the external card of the firewall. With IP Masq gives all > out going requests the one external IP address. With NAT, there needs to be one > external IP address for every machine that wants to get to the Internet. > Considering most folks at home only have one external IP address, they would > want to use IP Masq. I have also heard IP Masq called PAT. > > Looking at page 506 of the 3rd edition of "The Complete FreeBSD", it looks like > FreeBSD uses the terminology IP aliasing for what Linux folks call IP Masq. Am > I correct? No. NAT only needs one registered IP address on the external interface. If it required a one-to-one mapping, it'd be rather useless. See the natd(8) manpage. Also see RFC 1631 and other RFCs related to NAT if interested. (BTW, there are no RFCs about "IP masquerading." No idea if there are differences.) -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000311172441.B24340>