From owner-freebsd-ipfw@FreeBSD.ORG  Fri Apr  9 07:57:26 2010
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8DD79106566C
	for <ipfw@freebsd.org>; Fri,  9 Apr 2010 07:57:26 +0000 (UTC)
	(envelope-from nino80@gmail.com)
Received: from mail-fx0-f225.google.com (mail-fx0-f225.google.com
	[209.85.220.225])
	by mx1.freebsd.org (Postfix) with ESMTP id 1E4B48FC1A
	for <ipfw@freebsd.org>; Fri,  9 Apr 2010 07:57:25 +0000 (UTC)
Received: by fxm25 with SMTP id 25so528428fxm.3
	for <ipfw@freebsd.org>; Fri, 09 Apr 2010 00:57:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:from:date:received:message-id:subject:to:content-type
	:content-transfer-encoding;
	bh=GobHr3CbEibt6oNsoOejI73/I9Rwyyy9KTO0x+JMNps=;
	b=I8MEY0VizxwcamkzipAbJny/rfHj3+R0GIS/bcGMyNwmUe6IYAekgyNdm+H1HM/vyn
	NYDYzrVR5acbOVPnq+AF3+zGrQleYk5tDlMm+SyT1m2NaW4F24jyc+e+zlYa9o00SWgZ
	ErY/5gF0iXXjcPRnkQsyMM+h0By/CYWzCcTwM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:content-type:content-transfer-encoding;
	b=xePTbS5cxkDQrIg9NCgc3HW1LtfZH7Sg+uNF6tVfBLxxj5SzVk2DJmAERnOMlQ4Ocj
	ubwAwzbTwLJSxs1I2C7fpKUc9rK56CawhUL/oirDw3P9Lb1gBikG34jtdvA7+EnaTwwt
	HvByxs4/1SeVeGFlpM3ZEVPx2Z61Tn9eBxBzs=
MIME-Version: 1.0
Received: by 10.103.238.6 with HTTP; Fri, 9 Apr 2010 00:26:01 -0700 (PDT)
In-Reply-To: <y2m6201873e1004080857q79d0ab30r93d1e5e8bb30d2b8@mail.gmail.com>
References: <201004080252.o382qFH7019790@leka.aloha.com>
	<x2m6201873e1004072052u88a62b4eo7d1e9a457240937a@mail.gmail.com>
	<19389.23404.649946.265403@jerusalem.litteratus.org>
	<o2s6201873e1004072155ie746928cx5faac5d3f8e1d8ef@mail.gmail.com>
	<19389.51130.108457.400747@jerusalem.litteratus.org>
	<y2m6201873e1004080857q79d0ab30r93d1e5e8bb30d2b8@mail.gmail.com>
From: n j <nino80@gmail.com>
Date: Fri, 9 Apr 2010 09:26:01 +0200
Received: by 10.102.211.40 with SMTP id j40mr666557mug.69.1270797981133; Fri, 
	09 Apr 2010 00:26:21 -0700 (PDT)
Message-ID: <r2p92bcbda51004090026ie006e201hff36387f43e38ec2@mail.gmail.com>
To: ipfw@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: 
Subject: Re: Kernel Config for NAT
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 07:57:26 -0000

> That's actually a good question considering the lack of documentation. =
=A0If
> that works then great, but one wonders what the ipfw_nat modules is for?
> looks like it's tied into libalias apparently a replacement for natd.

Here's my kernel configuration:

[--snip--]
options         IPFIREWALL              # enable ipfw firewall
options         IPDIVERT                # for divert funcionality -
not really required
options         IPFIREWALL_FORWARD      # for ipfw forward functionality
options         IPFIREWALL_NAT          # for in-kernel nat
options         LIBALIAS                # req'd by ipfirewall_nat
[--snip--]

If I'm to trust the comment I wrote quite a while ago, IPDIVERT is not
necessary. Also, IPFIREWALL_FORWARD is not really needed for NAT, this
is specific to my setup. So, basically that leaves IPFIREWALL,
IPFIREWALL_NAT and LIBALIAS as the necessary tweaks in kernel conf for
NAT to work.

Note, this configuration enables the in-kernel NAT which is
(relatively) recent addition to FreeBSD. You turn it on like this:

ipfw nat 123 config ip 192.168.0.123 log
ipfw add nat 123 all from any to any

In my experience, it works pretty well and I consider it a big
improvement over running natd and diverting packets to it.

Regards,
--=20
Nino