From owner-freebsd-questions@FreeBSD.ORG Wed Jul 13 06:50:21 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FE891065679 for ; Wed, 13 Jul 2011 06:50:21 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id C07498FC1E for ; Wed, 13 Jul 2011 06:50:20 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1QgtH0-00019q-B1 for freebsd-questions@freebsd.org; Wed, 13 Jul 2011 08:50:18 +0200 Received: from pool-173-79-85-36.washdc.fios.verizon.net ([173.79.85.36]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 13 Jul 2011 08:50:18 +0200 Received: from nightrecon by pool-173-79-85-36.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 13 Jul 2011 08:50:18 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Wed, 13 Jul 2011 02:51:01 -0400 Lines: 47 Message-ID: References: <20110711170729.GG6611@dan.emsphone.com> <1310473165.58370.YahooMailRC@web36501.mail.mud.yahoo.com> <20110712160304.GI6611@dan.emsphone.com> <1310537140.18043.YahooMailRC@web36506.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-85-36.washdc.fios.verizon.net Subject: Re: IPFW Firewall NAT inbound port-redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 06:50:21 -0000 Michael Sierchio wrote: > I'm familiar with natd since its appearance. I was unclear on the > ipfirewall nat syntax, since there is no syntax definition in the man > page. It's true the man page is already too large, but some examples > (somewhere) would be nice. Marshaling packets into userland and back > into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. > The statement "follow closely the syntax used in natd" is not > particularly reassuring, since it doesn't declare that the syntax is > identical, and (I am repeating myself, sorry), there is no syntax def > in the man page. > [snip] >> >> NATD and IPFW work together. It's a little hard to explain in this format >> so as Dan suggests, you should read the manpage on each. Also, do some >> google searches and you will find many helpful articles. But take my word >> for this, you can do exactly what you want with IPFW+NATD. There are >> those who will probably promote PF as the firewall of choice as well. It >> all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike