From owner-freebsd-questions@FreeBSD.ORG Thu Oct 2 16:05:16 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F3D2106568B for ; Thu, 2 Oct 2008 16:05:16 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id E507A8FC13 for ; Thu, 2 Oct 2008 16:05:15 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by wa-out-1112.google.com with SMTP id n4so574723wag.27 for ; Thu, 02 Oct 2008 09:05:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=iqfXK2V3hQ9fb1DXEscvB6enThILD+9CKA8aoRSZlGI=; b=n/IzbL3oSpVu3Gzc36ZSfAXKccPlij6UtGzCY3W571CbIWjLSxQZNlwSSAn90cmK0j 6EdZGVfKNEvkWv5vyUkbHyMu5JQ347/OJhknQE2339RD2oBE53bWRNe4y3Qe8SqXRQa6 XEGsBimTwi3kR4t3ZtL9xCV8Z5hrOtLb3yodE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=IDpWxLZ1LX3aucvintaX7s0ASdzVjZusslJ+NDbDoDbZTYS87/nCCF/AkXn5SotP3Q 5Va8iQyCtZy4kRIeRT4iTsMVEo8dZlxU1+bxWyrdLwLlvac2DIUbgfy9EvNAMSlLO0ey /vTskUoIETb3cpL+sQkJUVCEHowSgjmvxldfc= Received: by 10.115.32.8 with SMTP id k8mr11015986waj.89.1222963515243; Thu, 02 Oct 2008 09:05:15 -0700 (PDT) Received: by 10.114.26.14 with HTTP; Thu, 2 Oct 2008 09:05:15 -0700 (PDT) Message-ID: <92bcbda50810020905r9b5788ayb41cffe65834cd1c@mail.gmail.com> Date: Thu, 2 Oct 2008 18:05:15 +0200 From: "n j" To: "FreeBSD Questions" In-Reply-To: <7daacbbe0810020539h530c6306o5f19abf35a68c6ad@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48DA7491.8030002@daleco.biz> <7daacbbe0810020539h530c6306o5f19abf35a68c6ad@mail.gmail.com> Subject: Re: nat and firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 16:05:16 -0000 >> This is no longer true; he did indeed find "firewall_nat_enable" >> in /etc/defaults/rc.conf. The knob seems to have first appeared >> in February in HEAD and I'm guessing it cues the system to use a >> new kernel-based nat rather than natd(8), but I've not read anything >> further about this, as my system isn't as up to date as the OP's. >> I don't know when this change was MFC'ed, but apparently fairly >> recently? > firewall_nat_* was added in the begenning of year in RELENG_7 > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 > > This is two different ways to do NAT. I can't speak about performance, > kernel vs daemon. Apologies for jumping in another thread commenting on my own question, but I think the questions are very similar (see "Recompile kernel or module for ipfw+nat?", http://lists.freebsd.org/pipermail/freebsd-questions/2008-September/183418.html). It would seem that doing NAT with ipfw (in-kernel as opposed to using userland natd) is not possible in 7.0-RELEASE-p4 without recompiling the kernel to include IPDIVERT even though IPDIVERT was converted to loadable module way back. And I have doubts that even recompiling the kernel would help doing "ipfw add nat 123 all from any to any". However, I found the reason for that might be the following CVS commit message: # $FreeBSD: src/sys/modules/ipfw_nat/Makefile,v 1.1 2008/02/29 22:27:18 piso Exp $ "Move ipfw's nat code into its own kld: ipfw_nat." which got commited to RELENG_7 and HEAD only (explains why it doesn't work on my 7.0-RELEASE-p4). My guess is that this functionality is already available in 7.1-BETA since the code freeze began in September and ipfw nat code got committed in February. I can only guess if what I wrote above if correct, but I'll upgrade one machine to 7.1-BETA as soon as I get some spare time. Regards, -- Nino