Date: Sat, 14 Jan 2006 23:23:07 -0800 (PST) From: "Freddie Cash" <fcash@ocis.net> To: "Brian Candler" <B.Candler@pobox.com> Cc: freebsd-isp@freebsd.org Subject: Re: FreeBSD as Server Message-ID: <61570.24.71.118.34.1137309787.squirrel@imap.sd73.bc.ca> In-Reply-To: <20060114203823.GA56577@uk.tiscali.com> References: <375DD163B075E34EA3C10A6286E34A54C1D4B5@exhsto1.se.dataphone.com> <43C7A18D.8060904@centtech.com> <43C7B008.8060404@matrixhome.net> <20060114131427.GA5349@uk.tiscali.com> <43C9204A.1020401@matrixhome.net> <20060114203823.GA56577@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, January 14, 2006 12:38 pm, Brian Candler wrote: > On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote: >> I think, that ipfw is native for FreeBSD - it works better than >> other packet filters. Am I right? > Not really. For NAT in particular, ipfw is pretty awful. You need an > external daemon (natd) and have to route packets to and from it, which > works fine if you have a very simple configuration (e.g. single > external interface, basic NAT-everything-going-out or NAT all RFC1918 > address space). More complex scenarios can be an utter nightmare to > configure properly. IPFW in FreeBSD 6.0 includes support for in-kernel NAT using the nat keyword. Just recompile the kernel with "options LIBALIAS" to enable it. I haven't tested it just yet (my home firewall is recompiling it all right now), but the stuff I've read online makes it seem like it should be on-par with IPFilter/PF's nat. Don't know if it qualifies as a complex scenario or not, but we use P2-333 MHz systems with 256 MB RAM running FreeBSD 5.3 using IPFW/natd. All stations behind the firewall are in an RFC1918 network. Some stations are given public IPs for access using 1-for-1 NAT on the firewall, and all the rest go out via standard 1-to-many NAT. So far, no issues to speak of. [knock wood] We even have multiple VPNs configured and use fwd rules to pass packets through them. -- Freddie Cash fcash@ocis.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61570.24.71.118.34.1137309787.squirrel>