From owner-freebsd-questions@FreeBSD.ORG Wed Jul 13 09:49:42 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8DE521065670 for ; Wed, 13 Jul 2011 09:49:42 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 16CF28FC0A for ; Wed, 13 Jul 2011 09:49:41 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Qgw4a-0000rs-3Y for freebsd-questions@freebsd.org; Wed, 13 Jul 2011 11:49:40 +0200 Received: from pool-173-79-85-36.washdc.fios.verizon.net ([173.79.85.36]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 13 Jul 2011 11:49:40 +0200 Received: from nightrecon by pool-173-79-85-36.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 13 Jul 2011 11:49:40 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Wed, 13 Jul 2011 05:50:23 -0400 Lines: 97 Message-ID: References: <20110711170729.GG6611@dan.emsphone.com> <1310473165.58370.YahooMailRC@web36501.mail.mud.yahoo.com> <20110712160304.GI6611@dan.emsphone.com> <1310537140.18043.YahooMailRC@web36506.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-85-36.washdc.fios.verizon.net Subject: Re: IPFW Firewall NAT inbound port-redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 09:49:42 -0000 OK - I'm confused. Could be all the top posting. ;-) testbed# man ipfw Formatting page, please wait...Done. IPFW(8) FreeBSD System Manager's Manual IPFW(8) NAME ipfw -- User interface for firewall, traffic shaper, packet scheduler, in-kernel NAT. ^^^^^^^^^^^^ [...] kernel config options: options IPFIREWALL_NAT #ipfw kernel nat support ^^^^^^^^ With this option you do not need userland natd and NAT stays in the kernel and keywords are in the IPFW ruleset. I did indeed mis-speak wrt to natd as the above was conceived in IPFW2 to supersede userland natd. Been about maybe 7 or 8 years since I used IPFW, so the memory is rusty. Michael Sierchio wrote: > Mike - > > You're confused. natd is still a userland process that works via > divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is > the userland control program to modify the rulesets, nat config, > tables, etc.). > > - Michael > > On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell > wrote: >> Michael Sierchio wrote: >> >>> I'm familiar with natd since its appearance. I was unclear on the >>> ipfirewall nat syntax, since there is no syntax definition in the man >>> page. It's true the man page is already too large, but some examples >>> (somewhere) would be nice. Marshaling packets into userland and back >>> into the kernel makes natd much slower than kernel nat. >> >> This is no longer true as some while ago IPFW's NATD switched over to >> being kernel-based. A long time ago when NATD was still userland I >> switched to Darren Reed's IPFILTER for just this reason. >> >> The first thing this entailed was learning the IPFILTER syntax as it was >> somewhat different from IPFW. I made the adjustment and later I found >> when I moved to PF the syntax from IPFILTER was closer to PF which made >> it easier to migrate. >> >>> The statement "follow closely the syntax used in natd" is not >>> particularly reassuring, since it doesn't declare that the syntax is >>> identical, and (I am repeating myself, sorry), there is no syntax def >>> in the man page. >>> >> [snip] >>>> >>>> NATD and IPFW work together. It's a little hard to explain in this >>>> format so as Dan suggests, you should read the manpage on each. Also, >>>> do some google searches and you will find many helpful articles. But >>>> take my word for this, you can do exactly what you want with IPFW+NATD. >>>> There are those who will probably promote PF as the firewall of choice >>>> as well. It all depends on what you become familiar with. >> >> All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use >> PF today, but any of the three will work just fine for essentially the >> same purpose (mostly). For example, IPFW had dummynet for traffic-shaping >> while PF uses ALTQ for essentially the same purpose. >> >> Mostly it is just grokking the syntax for whichever of the three you >> choose. The Handbook contains some content examples for getting started >> for IPFW and the PF docs can be found on the OpenBSD web site. Understand >> the syntax and you can shape the firewall however you choose. The various >> ruleset examples should probably not just be dropped in cut-and-paste >> style, but rather dissected line by line for understanding and then make >> tweaks which conform to exactly your local requirements. And it _is_ some >> arcane stuff to be sure, but stare at it long enough and it'll make sense >> eventually. :-) >> >> -Mike >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"