From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 10 13:28:23 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DACF41065673 for ; Sat, 10 Mar 2012 13:28:23 +0000 (UTC) (envelope-from freebsd-ipfw@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 82E678FC1B for ; Sat, 10 Mar 2012 13:28:23 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 546B45C28 for ; Sat, 10 Mar 2012 23:23:58 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id B80455C22 for ; Sat, 10 Mar 2012 23:23:57 +1000 (EST) Message-ID: <4F5B5187.2010303@herveybayaustralia.com.au> Date: Sat, 10 Mar 2012 23:05:11 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> In-Reply-To: <4F5B2348.2080405@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 13:28:23 -0000 On 03/10/12 19:47, Julian Elischer wrote: > On 3/9/12 6:39 AM, Da Rock wrote: >> I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I >> believe) was using 4.3. I'm now attempting to use IPFW for some tests >> (and hopefully move to production), and I'm trying to determine how I >> would setup binat using IPFW; or even if its possible at all. >> >> I've been hunting some more in depth documentation, but it appears to >> be scarce/not definitive. I suspect using the modes in libalias such >> as "use same ports" and "reverse" might be able to do what I'm >> looking for? >> >> Any clarity much appreciated. > > well of course > man ipfw is the basis.. > > since you don't give any hints as to what you want to do that is not > in /etc/rc.firewall, > it is hard to know how to help you.. I think that is the fundamental problem: I defined what I was doing but the terms are foreign, ergo the man doesn't show it either. Binat is defined in pf, so I used the terminology thinking it would just click. Apparently not :) Binat is 1:1 natting to and from a client behind a firewall (according to pf), so binat nats traffic from the client and from the external network. For all intents and purposes it appears the client is actually on the external network, with the added benefit that only the ports needed can be natted, and others can be diverted elsewhere. I'm using it for voip currently (and vpn on the same client): voip requires 5060 remote _and_ connection ports, and needs to be forwarded as is (excepting ip address) and not appear to be natted os as not to confuse the client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). Are there any sources for documentation on the advanced uses of ipfw? I stumbled on just one that goes into more detail so far http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO.