From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 11 16:43:55 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0EC251065675 for ; Sun, 11 Mar 2012 16:43:55 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 637048FC0C for ; Sun, 11 Mar 2012 16:43:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q2BGhAsk091270; Mon, 12 Mar 2012 03:43:11 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 12 Mar 2012 03:43:10 +1100 (EST) From: Ian Smith To: Da Rock In-Reply-To: <4F5BDBF9.4000807@herveybayaustralia.com.au> Message-ID: <20120312025251.W10482@sola.nimnet.asn.au> References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> <4F5B5187.2010303@herveybayaustralia.com.au> <20120311020742.G10482@sola.nimnet.asn.au> <4F5BDBF9.4000807@herveybayaustralia.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 16:43:55 -0000 On Sun, 11 Mar 2012 08:55:53 +1000, Da Rock wrote: > On 03/11/12 02:28, Ian Smith wrote: > > On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote: > > > On 03/10/12 19:47, Julian Elischer wrote: > > > > On 3/9/12 6:39 AM, Da Rock wrote: [..] > > > I'm using it for voip currently (and vpn on the same client): voip requires > > > 5060 remote _and_ connection ports, and needs to be forwarded as is > > > (excepting ip address) and not appear to be natted os as not to confuse the > > > client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). > > > > So this particular box has its own unique external routable IP address, > > distinct from the router's external IP? Does it also want to do regular > > NAT for other than VoIP/VPN port traffic? Just trying to follow .. > NP. I have only one external address (considered more, but nothing has quite > convinced me as yet to part with more moula for them), and the binat only > works for these services (ipsec/l2tp/vpn/voip), but essentially it appears > this box is in the open - directly on the external address. However, I can > still send other services (smtp/imap/www/dns) to other boxes. Ah, I thought pf.conf(5) implied it was for a separate external address? So apart from needing static NAT for those services it's pretty standard looks like? I haven't done just that myself so should shuttup here, but would likely tend to use a separate nat instance for those, with some rules before and after the NAT to keep that traffic distinct from the more general mapping for other clients, to be sure other clients don't get to use those ports 'accidentally' (beating same_ports to the punch) > The firewall is also running the show with ppp as well, the modem is running > 'dumb'. Way to go. I prefer mpd for PPPoE, toss a coin. > From other posts, I'd say static NAT could be what I'm looking for. I'll give > it a shot anyway... Let us know. > > > Are there any sources for documentation on the advanced uses of ipfw? > > I > > > stumbled on just one that goes into more detail so far > > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. > > > > I vaguely recall that one from years ago. "www.freebsd-howto.com could > > not be found. Please check the name and try again." tonight anyway. > I said this before: what can I say? It works for me... :) I just used it > tonight, so I can't say what would be going on (planets aligned, or > something?). Or something. Even digging @ its listed primary nameserver is broken. ; <<>> DiG 9.6.-ESV-R3 <<>> @NS1.ERUDITION.NET freebsd-howto.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5627 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;freebsd-howto.com. IN ANY But google found http://freebsdhowto.com/Ipfw-HOWTO.txt from Romania :) This looks very like one of Joe Barbish's expositions; it contains many of the same factual errors and questionable advice as the IPFW section in the Handbook, and it only covers FreeBSD 4 anyway. Truly, ipfw(8) is pretty near complete and authoritative, and rc.firewall is a much better basis for a good firewall; a smart boy like you can handle the truth :) cheers, Ian [PS whitespace, like a smile, costs nothing; who prints email anymore?] From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 12 11:07:14 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 728C21065673 for ; Mon, 12 Mar 2012 11:07:14 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 60B618FC0C for ; Mon, 12 Mar 2012 11:07:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q2CB7EkK072367 for ; Mon, 12 Mar 2012 11:07:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q2CB7DFP072365 for freebsd-ipfw@FreeBSD.org; Mon, 12 Mar 2012 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Mar 2012 11:07:13 GMT Message-Id: <201203121107.q2CB7DFP072365@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2012 11:07:14 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/164690 ipfw [ipfw] Request for ipv6 support in ipfw tables f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 43 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 13 10:17:19 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20010106566B; Tue, 13 Mar 2012 10:17:19 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E568B8FC14; Tue, 13 Mar 2012 10:17:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q2DAHIHE013760; Tue, 13 Mar 2012 10:17:18 GMT (envelope-from melifaro@freefall.freebsd.org) Received: (from melifaro@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q2DAHIGx013756; Tue, 13 Mar 2012 10:17:18 GMT (envelope-from melifaro) Date: Tue, 13 Mar 2012 10:17:18 GMT Message-Id: <201203131017.q2DAHIGx013756@freefall.freebsd.org> To: fbsd@50days.dax.nu, melifaro@FreeBSD.org, freebsd-ipfw@FreeBSD.org, melifaro@FreeBSD.org From: melifaro@FreeBSD.org Cc: Subject: Re: kern/164690: [ipfw] Request for ipv6 support in ipfw tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2012 10:17:19 -0000 Synopsis: [ipfw] Request for ipv6 support in ipfw tables State-Changed-From-To: open->patched State-Changed-By: melifaro State-Changed-When: Tue Mar 13 09:51:13 UTC 2012 State-Changed-Why: IPv6 support added to head in r232865 Responsible-Changed-From-To: freebsd-ipfw->melifaro Responsible-Changed-By: melifaro Responsible-Changed-When: Tue Mar 13 09:51:13 UTC 2012 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=164690 From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 14 07:10:11 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0808B1065673 for ; Wed, 14 Mar 2012 07:10:11 +0000 (UTC) (envelope-from remy.sanchez@hyperthese.net) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by mx1.freebsd.org (Postfix) with ESMTP id ACF048FC1E for ; Wed, 14 Mar 2012 07:10:10 +0000 (UTC) X-Originating-IP: 217.70.178.137 Received: from mfilter8-d.gandi.net (mfilter8-d.gandi.net [217.70.178.137]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id 2976617207E for ; Wed, 14 Mar 2012 08:09:59 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter8-d.gandi.net Received: from relay4-d.mail.gandi.net ([217.70.183.196]) by mfilter8-d.gandi.net (mfilter8-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id 4KJe6MDqGHJe for ; Wed, 14 Mar 2012 08:09:57 +0100 (CET) X-Originating-IP: 122.174.46.111 Received: from magi.localnet (unknown [122.174.46.111]) (Authenticated sender: remy.sanchez@hyperthese.net) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 62047172085 for ; Wed, 14 Mar 2012 08:09:56 +0100 (CET) From: =?ISO-8859-1?Q?R=E9my?= Sanchez To: freebsd-ipfw@freebsd.org Date: Wed, 14 Mar 2012 12:39:32 +0530 Message-ID: <8823954.VFuFedYPUb@magi> User-Agent: KMail/4.8.0 (Linux/3.2-pf; KDE/4.8.1; x86_64; ; ) In-Reply-To: <4F5A161C.8060407@herveybayaustralia.com.au> References: <4F5A161C.8060407@herveybayaustralia.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2457192.iggTx7bR6n"; micalg="pgp-sha1"; protocol="application/pgp-signature" Content-Transfer-Encoding: quoted-printable Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2012 07:10:11 -0000 --nextPart2457192.iggTx7bR6n Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" On Saturday 10 March 2012 00:39:24 Da Rock wrote: > I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I > believe) was using 4.3. I'm now attempting to use IPFW for some tests= > (and hopefully move to production), and I'm trying to determine how I= > would setup binat using IPFW; or even if its possible at all. >=20 > I've been hunting some more in depth documentation, but it appears to= be > scarce/not definitive. I suspect using the modes in libalias such as > "use same ports" and "reverse" might be able to do what I'm looking f= or? >=20 > Any clarity much appreciated. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.or= g" Well, what do you want to do with your firewall ? Because ipfw is kick-ass for QoS management, and is fairly simple to us= e in=20 other tasks, but if you want to do some complex NAT, it's going to be a= pain=20 in comparison to what pf offers. Just make sure of what your main requirement is :) My 2 cents, --=20 R=E9my Sanchez http://hyperthese.net/ --nextPart2457192.iggTx7bR6n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAk9gRCwACgkQpMMQ4XyIN1abiQCbB7GHG0Mfipe47t772uQY1/Yz aXsAmwcEl3wvhGNP5TAoAYZt3yZ0wdmS =Lhw2 -----END PGP SIGNATURE----- --nextPart2457192.iggTx7bR6n-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 17 08:41:34 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BADC7106564A for ; Sat, 17 Mar 2012 08:41:34 +0000 (UTC) (envelope-from freebsd-ipfw@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 6BFDB8FC08 for ; Sat, 17 Mar 2012 08:41:34 +0000 (UTC) Received: from mail.unitedinsong.com.au (bell.herveybayaustralia.com.au [192.168.0.40]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 4935D5C28 for ; Sat, 17 Mar 2012 18:54:58 +1000 (EST) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.177]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id 2255E5C22 for ; Sat, 17 Mar 2012 18:54:58 +1000 (EST) Message-ID: <4F644CF4.2010004@herveybayaustralia.com.au> Date: Sat, 17 Mar 2012 18:36:04 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F5A161C.8060407@herveybayaustralia.com.au> <8823954.VFuFedYPUb@magi> In-Reply-To: <8823954.VFuFedYPUb@magi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2012 08:41:34 -0000 On 03/14/12 17:09, Rémy Sanchez wrote: > On Saturday 10 March 2012 00:39:24 Da Rock wrote: >> I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I >> believe) was using 4.3. I'm now attempting to use IPFW for some tests >> (and hopefully move to production), and I'm trying to determine how I >> would setup binat using IPFW; or even if its possible at all. >> >> I've been hunting some more in depth documentation, but it appears to be >> scarce/not definitive. I suspect using the modes in libalias such as >> "use same ports" and "reverse" might be able to do what I'm looking for? >> >> Any clarity much appreciated. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > Well, what do you want to do with your firewall ? > > Because ipfw is kick-ass for QoS management, and is fairly simple to use in > other tasks, but if you want to do some complex NAT, it's going to be a pain > in comparison to what pf offers. > > Just make sure of what your main requirement is :) > > My 2 cents, Bluntly put, but very accurate :) I want it to do something pf cant - port forward ipsec packets for Android L2TP/IPSec. Apparently (according to pfsense experts) it is impossible until Android 3.0 or 4.0. My next port of call will be ipfilter, and thats a known working solution but I want to use more robust native tools. As for being a pita - I don't know. It doesn't seem any harder to me, could even be easier; seems to be a psychological thing. I'll get back to you (the list) when I have achieved an outcome and let you know. So far I haven't had to compile a new kernel, so thats a definite plus... that could change though. More info in the next episode ;) I've just finished wrestling with certificate generation.... grr! It was easier last time, not sure what has been the issue this time. From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 17 16:31:35 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBB3A106564A for ; Sat, 17 Mar 2012 16:31:35 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 912AE8FC14 for ; Sat, 17 Mar 2012 16:31:35 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q2HGVV6l002785 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 17 Mar 2012 09:31:33 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4F64BC7A.8080607@freebsd.org> Date: Sat, 17 Mar 2012 09:31:54 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4F5A161C.8060407@herveybayaustralia.com.au> <8823954.VFuFedYPUb@magi> <4F644CF4.2010004@herveybayaustralia.com.au> In-Reply-To: <4F644CF4.2010004@herveybayaustralia.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Da Rock Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2012 16:31:35 -0000 On 3/17/12 1:36 AM, Da Rock wrote: > On 03/14/12 17:09, Rémy Sanchez wrote: >> On Saturday 10 March 2012 00:39:24 Da Rock wrote: >>> I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I >>> believe) was using 4.3. I'm now attempting to use IPFW for some tests >>> (and hopefully move to production), and I'm trying to determine how I >>> would setup binat using IPFW; or even if its possible at all. >>> >>> I've been hunting some more in depth documentation, but it appears >>> to be >>> scarce/not definitive. I suspect using the modes in libalias such as >>> "use same ports" and "reverse" might be able to do what I'm >>> looking for? >>> >>> Any clarity much appreciated. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to >>> "freebsd-ipfw-unsubscribe@freebsd.org" >> Well, what do you want to do with your firewall ? >> >> Because ipfw is kick-ass for QoS management, and is fairly simple >> to use in >> other tasks, but if you want to do some complex NAT, it's going to >> be a pain >> in comparison to what pf offers. >> >> Just make sure of what your main requirement is :) >> >> My 2 cents, > Bluntly put, but very accurate :) > > I want it to do something pf cant - port forward ipsec packets for > Android L2TP/IPSec. Apparently (according to pfsense experts) it is > impossible until Android 3.0 or 4.0. My next port of call will be > ipfilter, and thats a known working solution but I want to use more > robust native tools. you need to really explain what you want here.. do you want the IP packets to still have the original ports/addesses in them or do you want to have the packets untouched, but redirected? a picture helps too. > > As for being a pita - I don't know. It doesn't seem any harder to > me, could even be easier; seems to be a psychological thing. I'll > get back to you (the list) when I have achieved an outcome and let > you know. So far I haven't had to compile a new kernel, so thats a > definite plus... that could change though. More info in the next > episode ;) I've just finished wrestling with certificate > generation.... grr! It was easier last time, not sure what has been > the issue this time. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >