From owner-freebsd-questions Fri Mar 29 10:14: 9 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mta07-svc.ntlworld.com (mta07-svc.ntlworld.com [62.253.162.47]) by hub.freebsd.org (Postfix) with ESMTP id 804E637B417 for ; Fri, 29 Mar 2002 10:14:03 -0800 (PST) Received: from lungfish.ntlworld.com ([80.4.0.215]) by mta07-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329181401.ABH7757.mta07-svc.ntlworld.com@lungfish.ntlworld.com>; Fri, 29 Mar 2002 18:14:01 +0000 Received: from tuatara.goatsucker.org (tuatara.goatsucker.org [192.168.1.6]) by lungfish.ntlworld.com (8.11.6/8.11.3) with ESMTP id g2TIE1j24989; Fri, 29 Mar 2002 18:14:01 GMT (envelope-from scott@tuatara.goatsucker.org) Received: (from scott@localhost) by tuatara.goatsucker.org (8.11.6/8.11.6) id g2TIE0O08654; Fri, 29 Mar 2002 18:14:00 GMT (envelope-from scott) Date: Fri, 29 Mar 2002 18:14:00 +0000 From: Scott Mitchell To: Martyn Hill Cc: FreeBSD-questions Subject: Re: Cable-modem, dynamic IP, NAT and IPFW Message-ID: <20020329181400.B8371@fishballoon.dyndns.org> References: <002b01c1d59c$1c7c30c0$0a00000a@stjames.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002b01c1d59c$1c7c30c0$0a00000a@stjames.net>; from sysadmin@st-james-snrgirls.w-london.sch.uk on Wed, Mar 27, 2002 at 02:31:38PM -0000 X-Operating-System: FreeBSD 4.5-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Mar 27, 2002 at 02:31:38PM -0000, Martyn Hill wrote: > In particular, configuring IPFW for dynamic IP (I have a working ruleset > for fixed IP); which of NATD or UserPPP NAT is preferable (or easier) to > configure/use and how best to configure the external NIC using the ISC > DHCLIENT software. This /etc/dhclient.conf works for me on NTL: interface "ep0" { supersede domain-name-servers 127.0.0.1; } ep0 is obviously the external interface. The only reason this file isn't entirely empty is to make sure my name server gets used before NTL's. IPFW, natd and dynamic rules (i.e, using keep-state and check-state) don't work terribly well together -- see PR kern/29294. If you avoid using dynamic rules, and make sure to use interface names rather than IP addresses (in case your dynamic IP changes), everything should be fine. On the other hand, user PPP's NAT doesn't have the problem with dynamic rules, so if you're using that anyway, you might as well drop natd entirely. I can send you the relevant bits of my rc.firewall if you need more info on this. HTH, Scott -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott.mitchell@mail.com | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message