Date: Thu, 2 Oct 2008 18:05:15 +0200 From: "n j" <nino80@gmail.com> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: nat and firewall Message-ID: <92bcbda50810020905r9b5788ayb41cffe65834cd1c@mail.gmail.com> In-Reply-To: <7daacbbe0810020539h530c6306o5f19abf35a68c6ad@mail.gmail.com> References: <NBECLJEKGLBKHHFFANMBOEBFCLAA.fbsd1@a1poweruser.com> <48DA7491.8030002@daleco.biz> <c583719d0810012109i2b9f4a01u12b5bf26bbfd8508@mail.gmail.com> <7daacbbe0810020539h530c6306o5f19abf35a68c6ad@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> This is no longer true; he did indeed find "firewall_nat_enable" >> in /etc/defaults/rc.conf. The knob seems to have first appeared >> in February in HEAD and I'm guessing it cues the system to use a >> new kernel-based nat rather than natd(8), but I've not read anything >> further about this, as my system isn't as up to date as the OP's. >> I don't know when this change was MFC'ed, but apparently fairly >> recently? > firewall_nat_* was added in the begenning of year in RELENG_7 > http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall?r1=1.52.2.2#rev1.52.2.2 > > This is two different ways to do NAT. I can't speak about performance, > kernel vs daemon. Apologies for jumping in another thread commenting on my own question, but I think the questions are very similar (see "Recompile kernel or module for ipfw+nat?", http://lists.freebsd.org/pipermail/freebsd-questions/2008-September/183418.html). It would seem that doing NAT with ipfw (in-kernel as opposed to using userland natd) is not possible in 7.0-RELEASE-p4 without recompiling the kernel to include IPDIVERT even though IPDIVERT was converted to loadable module way back. And I have doubts that even recompiling the kernel would help doing "ipfw add nat 123 all from any to any". However, I found the reason for that might be the following CVS commit message: # $FreeBSD: src/sys/modules/ipfw_nat/Makefile,v 1.1 2008/02/29 22:27:18 piso Exp $ "Move ipfw's nat code into its own kld: ipfw_nat." which got commited to RELENG_7 and HEAD only (explains why it doesn't work on my 7.0-RELEASE-p4). My guess is that this functionality is already available in 7.1-BETA since the code freeze began in September and ipfw nat code got committed in February. I can only guess if what I wrote above if correct, but I'll upgrade one machine to 7.1-BETA as soon as I get some spare time. Regards, -- Nino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92bcbda50810020905r9b5788ayb41cffe65834cd1c>