IPFW Firewall NAT inbound port-redirect
Michael Powell
nightrecon at hotmail.com
Wed Jul 13 06:50:21 UTC 2011
Michael Sierchio wrote:
> I'm familiar with natd since its appearance. I was unclear on the
> ipfirewall nat syntax, since there is no syntax definition in the man
> page. It's true the man page is already too large, but some examples
> (somewhere) would be nice. Marshaling packets into userland and back
> into the kernel makes natd much slower than kernel nat.
This is no longer true as some while ago IPFW's NATD switched over to being
kernel-based. A long time ago when NATD was still userland I switched to
Darren Reed's IPFILTER for just this reason.
The first thing this entailed was learning the IPFILTER syntax as it was
somewhat different from IPFW. I made the adjustment and later I found when I
moved to PF the syntax from IPFILTER was closer to PF which made it easier
to migrate.
> The statement "follow closely the syntax used in natd" is not
> particularly reassuring, since it doesn't declare that the syntax is
> identical, and (I am repeating myself, sorry), there is no syntax def
> in the man page.
>
[snip]
>>
>> NATD and IPFW work together. It's a little hard to explain in this format
>> so as Dan suggests, you should read the manpage on each. Also, do some
>> google searches and you will find many helpful articles. But take my word
>> for this, you can do exactly what you want with IPFW+NATD. There are
>> those who will probably promote PF as the firewall of choice as well. It
>> all depends on what you become familiar with.
All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF
today, but any of the three will work just fine for essentially the same
purpose (mostly). For example, IPFW had dummynet for traffic-shaping while
PF uses ALTQ for essentially the same purpose.
Mostly it is just grokking the syntax for whichever of the three you choose.
The Handbook contains some content examples for getting started for IPFW and
the PF docs can be found on the OpenBSD web site. Understand the syntax and
you can shape the firewall however you choose. The various ruleset examples
should probably not just be dropped in cut-and-paste style, but rather
dissected line by line for understanding and then make tweaks which conform
to exactly your local requirements. And it _is_ some arcane stuff to be
sure, but stare at it long enough and it'll make sense eventually. :-)
-Mike
More information about the freebsd-questions
mailing list