FreeBSD as Server
Brian Candler
B.Candler at pobox.com
Sat Jan 14 12:38:30 PST 2006
On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote:
> I think, that ipfw is native for FreeBSD - it works better than other
> packet filters. Am I right?
Not really. For NAT in particular, ipfw is pretty awful. You need an
external daemon (natd) and have to route packets to and from it, which works
fine if you have a very simple configuration (e.g. single external
interface, basic NAT-everything-going-out or NAT all RFC1918 address space).
More complex scenarios can be an utter nightmare to configure properly.
It also has a long history, which means that the configuration syntax isn't
always very clean because of backwards compatibility requirements.
> When traffic that not be NATed in ng_nat was sent in hook "in" - it must
> simply out from it? Or no? Where is trouble?
I can't answer that. All I can say is, if you want NAT there is a very
simple incantation you can put in /etc/rc.conf:
pf_enable="YES"
pflog_enable="YES"
and in /etc/pf.conf:
# replace interface name as appropriate
ext_if="fxp0"
nat on $ext_if from any to any -> ($ext_if)
Start it like this:
# /etc/rc.d/pf start
# /etc/rc.d/pflog start
It should Just Work[TM]. pf is loadable as a module, so you shouldn't even
have to recompile your kernel.
Regards,
Brian.
More information about the freebsd-isp
mailing list