From owner-freebsd-questions@FreeBSD.ORG Sun Mar 16 13:48:50 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDBB7106567E for ; Sun, 16 Mar 2008 13:48:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id 76F778FC30 for ; Sun, 16 Mar 2008 13:48:48 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id AAA08206; Mon, 17 Mar 2008 00:48:24 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 17 Mar 2008 00:48:23 +1100 (EST) From: Ian Smith To: Dan Nelson In-Reply-To: <20080316074731.2BBB710656F2@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Razmig K , freebsd-questions@freebsd.org Subject: Re: IPFW with user-ppp's NAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Mar 2008 13:48:50 -0000 On Sat, 15 Mar 2008 21:16:12 -0500 Dan Nelson wrote: > In the last episode (Mar 16), Razmig K said: > > With IPFW enabled in the kernel, I'd like to use the NAT functionality of > > user-ppp instead of natd. Do I need the IPDIVERT option in the kernel and > > the special arrangement of divert and skipto rules in the ruleset? Or, a > > non-NATed ruleset (as demonstrated in handbook section 28.6.5.6) would > > suffice? > > > > If divert rules are necessary, what argument do I need to pass to action > > divert in place of natd? > > If you mean the "nat enable yes" option in ppp.conf, that is done > completely within the user-ppp daemon (using the same libalias libarary > that natd uses). Since user-ppp creates its own tun# device, it can > call the NAT functions as it processes packets to/from that device > without needing IPFW divert rules. True, though if you're running FreeBSD 7 you can instead use ipfw(8)'s new in-kernel NAT, which uses the same libalias and semantics. Frankly I'm a bit surprised that this hasn't been more widely heralded, as userland natd is often given as a reason to prefer other firewalls, even in the handbook. ('legacy', indeed :) And while being frank .. the present ipfw section in the handbook needs rewriting in large part. It contains undue deprecation, misconceptions, outdated information and some straight up errors, both of principle and usage. Using rc.firewall as a base example (modulo needing to permit appropriate icmp traffic) and a fair study of ipfw(8) should yield a better firewall, with or without NAT - certainly a more comprehensible and flexible one - than the examples in that section. Cheers, Ian