nat and firewall

FBSD1 fbsd1 at
Wed Sep 24 07:52:33 UTC 2008

-----Original Message-----
From: owner-freebsd-questions at
[mailto:owner-freebsd-questions at]On Behalf Of fire jotawski
Sent: Wednesday, September 24, 2008 12:13 PM
To: freebsd-questions at
Subject: nat and firewall

hi sirs,

i am confused now that what is the difference between nat and firewall_nat
in /etc/rc file


just one question per asking.  there will be another more questions about
this but for this moment only this one first.

thanks in advance for any helps and hints

freebsd-questions at mailing list
To unsubscribe, send any mail to freebsd-questions-unsubscribe at

natd_enable="YES"  This statement in rc.conf enables ipfw nated function.
firewall_nat_enable="YES"  This is an invalid statement. No such thing as
you have here.
FreeBSD has 3 different built in firewall for you to chose from. IPFW,
Ipfilter, and PF
Review /etc/defaults/rc.conf for their statements.
It would do you good to read the firewall section of the FreeBSD Handbook
for a complete explanation of the 3 firewalls and the differences between
In my option the PF firewall has the easiest to use rule set and built in
table functions for automated black listing attacking IP address. Its major
weakness is it has very poorly designed logging function that results in
very cumbersome usage.
IPFilter comes next. It has easy logging and rules usage. It lacks the auto
black listing table building of PF. These two firewalls were ported to
FreeBSD from other Unix flavored operating systems. Both have teams
supporting and maintaining them.
The final firewall is IPFW that is the first firewall included in FreeBSD
many years ago and was developed by the FreeBSD team. IPFW also lacks the
auto black listing table building of PF, and its nated rules are much harder
to get working using all stateful rules. IPFW had a major coding overhaul a
few years back but the inhered design flaw of how nated rules are handled
was not touched. Grape vine says IPFW nated code is a messed up can of worms
and no one wants to touch it.
I have used all 3 firewalls at one time or another to learn about them. I
found IPFilter to be the easiest to use and get logging out put in standard
format like all the other FreeBSD logs are.  But you should ready the
handbook and decide for your self what best satisfies your firewall needs.

More information about the freebsd-questions mailing list