From owner-freebsd-questions@FreeBSD.ORG  Wed Jul 13 06:55:17 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 88174106566B
	for <freebsd-questions@freebsd.org>;
	Wed, 13 Jul 2011 06:55:17 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com
	[209.85.160.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 4B4F48FC16
	for <freebsd-questions@freebsd.org>;
	Wed, 13 Jul 2011 06:55:17 +0000 (UTC)
Received: by gyf3 with SMTP id 3so2821292gyf.13
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Jul 2011 23:55:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.236.190.69 with SMTP id d45mr10494yhn.208.1310540116573; Tue,
	12 Jul 2011 23:55:16 -0700 (PDT)
Received: by 10.236.202.169 with HTTP; Tue, 12 Jul 2011 23:55:16 -0700 (PDT)
In-Reply-To: <ivjf6v$c4u$1@dough.gmane.org>
References: <CAHu1Y70Uq1AkMF--rB8sAw2M1NW8a0x1H9voTPsy3cm5vQ6O2Q@mail.gmail.com>
	<20110711170729.GG6611@dan.emsphone.com>
	<1310473165.58370.YahooMailRC@web36501.mail.mud.yahoo.com>
	<CAHu1Y725TGa8D=TQCKa7VQYDVAFLoABdFOZ+JwnMOBck0gWzyA@mail.gmail.com>
	<20110712160304.GI6611@dan.emsphone.com>
	<CAHu1Y73-M7Ds=zNUDDJboh7_eEPT-uiL6qULBghFJK__NiFKzQ@mail.gmail.com>
	<1310537140.18043.YahooMailRC@web36506.mail.mud.yahoo.com>
	<CAHu1Y7113W_-Z0ttbaVu7waM177pVWbwB7Mi_wAJOZwoVhSJvg@mail.gmail.com>
	<ivjf6v$c4u$1@dough.gmane.org>
Date: Tue, 12 Jul 2011 23:55:16 -0700
Message-ID: <CAHu1Y7035wyi6WuOMtTFYMh6BoDBNff8KuhBXGV8pUqjUT6h0Q@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: Michael Powell <nightrecon@hotmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: IPFW Firewall NAT inbound port-redirect
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 06:55:17 -0000

Mike -

You're confused.  natd is still a userland process that works via
divert sockets.  ipfirewall nat is an extension to ipfirewall (ipfw is
the userland control program to modify the rulesets, nat config,
tables, etc.).

- Michael

On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell <nightrecon@hotmail.com> w=
rote:
> Michael Sierchio wrote:
>
>> I'm familiar with natd since its appearance. =A0I was unclear on the
>> ipfirewall nat syntax, since there is no syntax definition in the man
>> page. =A0It's true the man page is already too large, but some examples
>> (somewhere) would be nice. Marshaling packets into userland and back
>> into the kernel makes natd much slower than kernel nat.
>
> This is no longer true as some while ago IPFW's NATD switched over to bei=
ng
> kernel-based. A long time ago when NATD was still userland I switched to
> Darren Reed's IPFILTER for just this reason.
>
> The first thing this entailed was learning the IPFILTER syntax as it was
> somewhat different from IPFW. I made the adjustment and later I found whe=
n I
> moved to PF the syntax from IPFILTER was closer to PF which made it easie=
r
> to migrate.
>
>> The statement "follow closely the syntax used in natd" is not
>> particularly reassuring, since it doesn't declare that the syntax is
>> identical, and (I am repeating myself, sorry), there is no syntax def
>> in the man page.
>>
> [snip]
>>>
>>> NATD and IPFW work together. It's a little hard to explain in this form=
at
>>> so as Dan suggests, you should read the manpage on each. Also, do some
>>> google searches and you will find many helpful articles. But take my wo=
rd
>>> for this, you can do exactly what you want with IPFW+NATD. There are
>>> those who will probably promote PF as the firewall of choice as well. I=
t
>>> all depends on what you become familiar with.
>
> All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use P=
F
> today, but any of the three will work just fine for essentially the same
> purpose (mostly). For example, IPFW had dummynet for traffic-shaping whil=
e
> PF uses ALTQ for essentially the same purpose.
>
> Mostly it is just grokking the syntax for whichever of the three you choo=
se.
> The Handbook contains some content examples for getting started for IPFW =
and
> the PF docs can be found on the OpenBSD web site. Understand the syntax a=
nd
> you can shape the firewall however you choose. The various ruleset exampl=
es
> should probably not just be dropped in cut-and-paste style, but rather
> dissected line by line for understanding and then make tweaks which confo=
rm
> to exactly your local requirements. And it _is_ some arcane stuff to be
> sure, but stare at it long enough and it'll make sense eventually. =A0:-)
>
> -Mike
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>