From owner-freebsd-isp@FreeBSD.ORG Sun Jan 15 07:23:14 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBF6616A41F for ; Sun, 15 Jan 2006 07:23:14 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from smtp.sd73.bc.ca (smtp.sd73.bc.ca [142.24.13.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3706B43D45 for ; Sun, 15 Jan 2006 07:23:14 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id A09E08A004C; Sat, 14 Jan 2006 23:23:51 -0800 (PST) Received: from smtp.sd73.bc.ca ([127.0.0.1]) by localhost (smtp.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 19897-02-5; Sat, 14 Jan 2006 23:23:45 -0800 (PST) Received: from imap.sd73.bc.ca (smtp.sd73.bc.ca [10.10.10.15]) by smtp.sd73.bc.ca (Postfix) with ESMTP id 1C8CD8A002C; Sat, 14 Jan 2006 23:23:45 -0800 (PST) Received: by imap.sd73.bc.ca (Postfix, from userid 80) id 0C92018CCB1; Sat, 14 Jan 2006 23:23:07 -0800 (PST) Received: from 24.71.118.34 (SquirrelMail authenticated user fcash) by imap.sd73.bc.ca with HTTP; Sat, 14 Jan 2006 23:23:07 -0800 (PST) Message-ID: <61570.24.71.118.34.1137309787.squirrel@imap.sd73.bc.ca> In-Reply-To: <20060114203823.GA56577@uk.tiscali.com> References: <375DD163B075E34EA3C10A6286E34A54C1D4B5@exhsto1.se.dataphone.com> <43C7A18D.8060904@centtech.com> <43C7B008.8060404@matrixhome.net> <20060114131427.GA5349@uk.tiscali.com> <43C9204A.1020401@matrixhome.net> <20060114203823.GA56577@uk.tiscali.com> Date: Sat, 14 Jan 2006 23:23:07 -0800 (PST) From: "Freddie Cash" To: "Brian Candler" User-Agent: SquirrelMail/1.5.1 [CVS] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new using ClamAV at sd73.bc.ca Cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD as Server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fcash@ocis.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 07:23:14 -0000 On Sat, January 14, 2006 12:38 pm, Brian Candler wrote: > On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote: >> I think, that ipfw is native for FreeBSD - it works better than >> other packet filters. Am I right? > Not really. For NAT in particular, ipfw is pretty awful. You need an > external daemon (natd) and have to route packets to and from it, which > works fine if you have a very simple configuration (e.g. single > external interface, basic NAT-everything-going-out or NAT all RFC1918 > address space). More complex scenarios can be an utter nightmare to > configure properly. IPFW in FreeBSD 6.0 includes support for in-kernel NAT using the nat keyword. Just recompile the kernel with "options LIBALIAS" to enable it. I haven't tested it just yet (my home firewall is recompiling it all right now), but the stuff I've read online makes it seem like it should be on-par with IPFilter/PF's nat. Don't know if it qualifies as a complex scenario or not, but we use P2-333 MHz systems with 256 MB RAM running FreeBSD 5.3 using IPFW/natd. All stations behind the firewall are in an RFC1918 network. Some stations are given public IPs for access using 1-for-1 NAT on the firewall, and all the rest go out via standard 1-to-many NAT. So far, no issues to speak of. [knock wood] We even have multiple VPNs configured and use fwd rules to pass packets through them. -- Freddie Cash fcash@ocis.net