From owner-freebsd-questions@FreeBSD.ORG Tue Dec 14 02:29:17 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D45FF16A4CE for ; Tue, 14 Dec 2004 02:29:17 +0000 (GMT) Received: from cromagnon.cullmail.com (cromagnon.cullmail.com [67.33.58.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5611543D62 for ; Tue, 14 Dec 2004 02:29:17 +0000 (GMT) (envelope-from jamoore@cromagnon.cullmail.com) Received: from cromagnon.cullmail.com (localhost.cullmail.com [127.0.0.1]) iBE2QJxY026420; Mon, 13 Dec 2004 20:26:19 -0600 (CST) (envelope-from jamoore@cromagnon.cullmail.com) Received: from localhost (localhost [[UNIX: localhost]]) by cromagnon.cullmail.com (8.12.10/8.12.10/Submit) id iBE2QIN9026419; Mon, 13 Dec 2004 20:26:18 -0600 (CST) (envelope-from jamoore) From: Jay Moore To: freebsd-questions@freebsd.org Date: Mon, 13 Dec 2004 20:26:18 -0600 User-Agent: KMail/1.6.1 References: <20041213203548.GC69026@keyslapper.org> In-Reply-To: <20041213203548.GC69026@keyslapper.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200412132026.18699.jaymo@cromagnon.cullmail.com> cc: Louis LeBlanc Subject: Re: just a couple quick pf/nat questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jaymo@cromagnon.cullmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 02:29:17 -0000 On Monday 13 December 2004 02:35 pm, Louis LeBlanc wrote: > > Still, I'm planning to migrate to pf, since it's "supposed" to be > better. It seems (from my murky understanding) like it would make > tricky NAT stuff easier, so there would be some benefits (battle.net, > here I come :). > > Problem is, it seems like there's a whole new logical approach with pf, > and I can't figure out if pf does the NAT itself or if you still need > the nat_enable etc. No - the NAT config is incl in pf.conf > Also, with ipfw, I just ran a script that grabbed the current dynamic IP > and used it when the script was run. How does pf handle dynamic IPs? > If I'm understanding the pf manual at OpenBSD.org, it will simply take > the network interface and apply any IP assigned to a given rule. Am I > right? You are correct. > Has anyone else gotten pf running to their satisfaction on 5.3? Haven't tried that yet, but I will soon. I've been using it for quite a while on OpenBSD boxes & it is pretty much wonderful (except it won't pass a Cisco VPN connection through the firewall) > And are there any pf config generation pages out there yet? You may want to read the pf User's Guide at: http://www.openbsd.org/faq/pf/index.html It's got loads of info, and isn't a difficult read. Also, there is a sample config file for a SOHO included. If you Google for pf.conf, you'll turn up butt-loads of others. > I also noticed that all the sample scripts I've looked at seem to > specify ports with either an explicit port number or a macro defined > right in the config. I take it pf doesn't use the service tags from > /etc/services? Correct-isimo - you're catching on :) Jay