nat and firewall
Dominique Goncalves
dominique.goncalves at gmail.com
Fri Oct 3 11:28:08 UTC 2008
On Fri, Oct 3, 2008 at 5:24 AM, fire jotawski <jotawski at gmail.com> wrote:
>
>
> On Thu, Oct 2, 2008 at 7:39 PM, Dominique Goncalves
> <dominique.goncalves at gmail.com> wrote:
>>
>> Hi,
>>
>> On Thu, Oct 2, 2008 at 6:09 AM, fire jotawski <jotawski at gmail.com> wrote:
>> > On Thu, Sep 25, 2008 at 12:10 AM, Kevin Kinsey <kdk at daleco.biz> wrote:
>> >
>> >> FBSD1 wrote:
>> >>
>> >>>
>> >>> natd_enable="YES" This statement in rc.conf enables ipfw nated
>> >>> function.
>> >>> firewall_nat_enable="YES" This is an invalid statement. No such thing
>> >>> as
>> >>> you have here.
>> >>>
>> >>
>> >> This is no longer true; he did indeed find "firewall_nat_enable"
>> >> in /etc/defaults/rc.conf. The knob seems to have first appeared
>> >> in February in HEAD and I'm guessing it cues the system to use a
>> >> new kernel-based nat rather than natd(8), but I've not read anything
>> >> further about this, as my system isn't as up to date as the OP's.
>> >> I don't know when this change was MFC'ed, but apparently fairly
>> >> recently?
>> >>
>> >> I suppose we need someone a tad more "in the know" to straighten
>> >> that out for us.
>> >>
>> >
>> > up to this moment, i do not know if natd and firewall_nat function in
>> > the
>> > same or different.
>> > and is there firewall_nat_flags thing too ?
>>
>> I'll try to explain,
>>
>> natd_* knobs are for natd(8), a daemon
>> firewall_nat_* knobs are for ipfw(8), NAT is processed by the kernel
>>
>> firewall_nat_* was added in the begenning of year in RELENG_7
>>
>> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2
>>
>> The NAT configuration is done by /etc/rc.firewall, you can read this
>> file to know how the configuration is done.
>>
>> This is two different ways to do NAT. I can't speak about performance,
>> kernel vs daemon.
>
> many thanks indeed for your clear explanations.
> so we simply use just one of them but not both, do not we ?
Yes.
> once again, i appreciate all of your kind asistances in my case.
>
> with best regards,
> psr
>
>
Regards.
--
There's this old saying: "Give a man a fish, feed him for a day. Teach
a man to fish, feed him for life."
More information about the freebsd-questions
mailing list