IPFW with user-ppp's NAT
smithi at nimnet.asn.au
Sun Mar 16 13:48:50 UTC 2008
On Sat, 15 Mar 2008 21:16:12 -0500 Dan Nelson <dnelson at allantgroup.com> wrote:
> In the last episode (Mar 16), Razmig K said:
> > With IPFW enabled in the kernel, I'd like to use the NAT functionality of
> > user-ppp instead of natd. Do I need the IPDIVERT option in the kernel and
> > the special arrangement of divert and skipto rules in the ruleset? Or, a
> > non-NATed ruleset (as demonstrated in handbook section 22.214.171.124) would
> > suffice?
> > If divert rules are necessary, what argument do I need to pass to action
> > divert in place of natd?
> If you mean the "nat enable yes" option in ppp.conf, that is done
> completely within the user-ppp daemon (using the same libalias libarary
> that natd uses). Since user-ppp creates its own tun# device, it can
> call the NAT functions as it processes packets to/from that device
> without needing IPFW divert rules.
True, though if you're running FreeBSD 7 you can instead use ipfw(8)'s
new in-kernel NAT, which uses the same libalias and semantics.
Frankly I'm a bit surprised that this hasn't been more widely heralded,
as userland natd is often given as a reason to prefer other firewalls,
even in the handbook. ('legacy', indeed :)
And while being frank .. the present ipfw section in the handbook needs
rewriting in large part. It contains undue deprecation, misconceptions,
outdated information and some straight up errors, both of principle and
usage. Using rc.firewall as a base example (modulo needing to permit
appropriate icmp traffic) and a fair study of ipfw(8) should yield a
better firewall, with or without NAT - certainly a more comprehensible
and flexible one - than the examples in that section.
More information about the freebsd-questions