Date: Sun, 11 Mar 2012 03:28:13 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Da Rock <freebsd-ipfw@herveybayaustralia.com.au> Cc: freebsd-ipfw@freebsd.org, Julian Elischer <julian@freebsd.org> Subject: Re: newbie IPFW user Message-ID: <20120311020742.G10482@sola.nimnet.asn.au> In-Reply-To: <4F5B5187.2010303@herveybayaustralia.com.au> References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> <4F5B5187.2010303@herveybayaustralia.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote: > On 03/10/12 19:47, Julian Elischer wrote: > > On 3/9/12 6:39 AM, Da Rock wrote: > > > I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I > > > believe) was using 4.3. I'm now attempting to use IPFW for some tests > > > (and hopefully move to production), and I'm trying to determine how I > > > would setup binat using IPFW; or even if its possible at all. > > > > > > I've been hunting some more in depth documentation, but it appears to be > > > scarce/not definitive. I suspect using the modes in libalias such as "use > > > same ports" and "reverse" might be able to do what I'm looking for? > > > > > > Any clarity much appreciated. > > > > well of course > > man ipfw is the basis.. Apart from libalias(3) I found natd(8) manual still useful to flesh out the rather terse NAT descriptions in ipfw(8); functions are mostly 1:1 apart from more verbose (and better described) keywords than ipfw nat. > > since you don't give any hints as to what you want to do that is not in > > /etc/rc.firewall, > > it is hard to know how to help you.. > I think that is the fundamental problem: I defined what I was doing but the > terms are foreign, ergo the man doesn't show it either. Just googling 'binat freebsd' finds only (quite a few) references to pf, and then only pf.conf(5) seems really to describe its usage. > Binat is defined in pf, so I used the terminology thinking it would just > click. Apparently not :) Binat is 1:1 natting to and from a client behind a > firewall (according to pf), so binat nats traffic from the client and from > the external network. For all intents and purposes it appears the client is > actually on the external network, with the added benefit that only the ports > needed can be natted, and others can be diverted elsewhere. > > I'm using it for voip currently (and vpn on the same client): voip requires > 5060 remote _and_ connection ports, and needs to be forwarded as is > (excepting ip address) and not appear to be natted os as not to confuse the > client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). So this particular box has its own unique external routable IP address, distinct from the router's external IP? Does it also want to do regular NAT for other than VoIP/VPN port traffic? Just trying to follow .. > Are there any sources for documentation on the advanced uses of ipfw? I > stumbled on just one that goes into more detail so far > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. I vaguely recall that one from years ago. "www.freebsd-howto.com could not be found. Please check the name and try again." tonight anyway. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120311020742.G10482>