From owner-freebsd-questions Tue Jun 29 2: 4:17 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mta2-rme.xtra.co.nz (unknown [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id 0B28C14C80 for ; Tue, 29 Jun 1999 02:04:12 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.152.15]) by mta2-rme.xtra.co.nz (InterMail v4.01.01.00 201-229-111) with SMTP id <19990629090654.GLCL112692.mta2-rme@wocker>; Tue, 29 Jun 1999 21:06:54 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: "Art Neilson, KH7PZ" Date: Tue, 29 Jun 1999 21:04:05 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ipfilter vs ipfw (was Re: tcp_wrappers) Reply-To: junkmale@xtra.co.nz Cc: freebsd-questions@FreeBSD.ORG In-reply-to: <3.0.6.32.19990628190217.032dd6b0@clients1.hawaii.rr.com> References: <19990627230044.HINL1400.mta2-rme@wocker> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990629090654.GLCL112692.mta2-rme@wocker> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 28 Jun 99, at 19:02, Art Neilson, KH7PZ wrote: > OK so Dan, while looking around on the website you mentioned I > found a section regarding ipnat. > > http://www.freebsddiary.org/freebsd/ipnat.htm > > This page describes how to do NAT via the ipfilter kernel module > or LKM. How does this differ from using natd? Other than maybe > performance? Do you gain any features or other benefits by using > ipfilter nat vs. natd nat? I'm currently using natd so am interested > if the ipfilter method is better. I, personally, think ipfilter (ipf) is a much more robust product. I have no proof of that. Merely anecdotes from those that use ipf. One feature within ipf that I think is worth mentioning is the rule group. This is a great short-hand way of ensuring that rules stick together where they should stick together. For example, the following is my first couple of rules: block in log on ed0 all head 100 block out log on ed0 all head 150 This effectively blocks all traffic on ed0. Later on you see stuff like this: pass in quick proto tcp from any to any port = www keep state group 100 pass in quick proto tcp from any to any port = telnet keep state group 100 pass in quick proto tcp from any to any port = ssh keep state group 100 pass in quick proto tcp/udp from any to any port = domain keep state group 100 All of these relate to traffic coming in on ed0. Similary, the following stops stops those private addresses from coming in on ed0: # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 Perhaps others with more technical knowledge of ipf can jump in here and tell you move about that. -- Dan Langille - DVL Software Limited The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ The Racing System - http://www.racingsystem.com/racingsystem.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message