From owner-freebsd-questions@FreeBSD.ORG Fri Aug 1 13:20:53 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 173EC866 for ; Fri, 1 Aug 2014 13:20:53 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B5DEA2EAD for ; Fri, 1 Aug 2014 13:20:52 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s71DKhf9094487 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Aug 2014 07:20:43 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s71DKhnN094484; Fri, 1 Aug 2014 07:20:43 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Fri, 1 Aug 2014 07:20:43 -0600 (MDT) From: Warren Block To: Dan Busarow Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? In-Reply-To: <53DB9017.3000304@buildingonline.com> Message-ID: References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <201407200939020335.0017641F@smtp.24cl.home> <788274E2-7D66-45D9-89F6-81E8C2615D14@lastsummer.de> <201407201230590265.00B479C4@smtp.24cl.home> <20140729103512.GC89995@FreeBSD.org> <53DA304E.6020105@herveybayaustralia.com.au> <20140731134147.GH2402@glebius.int.ru> <53DB9017.3000304@buildingonline.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Fri, 01 Aug 2014 07:20:44 -0600 (MDT) Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2014 13:20:53 -0000 On Fri, 1 Aug 2014, Dan Busarow wrote: > > On 8/1/14, 1:39 AM, krad wrote: >> I always found natting in ipfw rather awkward and harder than in pf. >> Looking at the man page it doesnt seem to have changed. I should probably >> give it another go though as it has been about 10 years now > > Couldn't be much easier than the way it works now > > e.g. > > firewall_enable="YES" > firewall_type="OPEN" > natd_enable="YES" > natd_interface="em0" > natd_flags="-s -m -u" > > All of the builtin rulesets know about NAT > > My home network has two internal nets each with it's own wifi AP and the > above handles it. > > natd_interface is your outside facing interface. In pf, it is just an entry in the rules: nat on $ext_if from $internal_net to any -> ($ext_if)