Re: FreeBSD as Server

["Freddie Cash" <fcash_(_at_)_ocis_(_dot_)_net>]

On Sat, January 14, 2006 12:38 pm, Brian Candler wrote:
> On Sat, Jan 14, 2006 at 06:01:14PM +0200, Alexander wrote:
>> I think, that ipfw is native for FreeBSD - it works better than
>> other packet filters. Am I right?

> Not really. For NAT in particular, ipfw is pretty awful. You need an
> external daemon (natd) and have to route packets to and from it, which
> works fine if you have a very simple configuration (e.g. single
> external interface, basic NAT-everything-going-out or NAT all RFC1918
> address space). More complex scenarios can be an utter nightmare to
> configure properly.

IPFW in FreeBSD 6.0 includes support for in-kernel NAT using the nat
keyword.  Just recompile the kernel with "options LIBALIAS" to enable
it.  I haven't tested it just yet (my home firewall is recompiling it
all right now), but the stuff I've read online makes it seem like it
should be on-par with IPFilter/PF's nat.

Don't know if it qualifies as a complex scenario or not, but we use
P2-333 MHz systems with 256 MB RAM running FreeBSD 5.3 using
IPFW/natd.  All stations behind the firewall are in an RFC1918
network.  Some stations are given public IPs for access using 1-for-1
NAT on the firewall, and all the rest go out via standard 1-to-many
NAT.  So far, no issues to speak of.  [knock wood]  We even have
multiple VPNs configured and use fwd rules to pass packets through
them.

-- 
Freddie Cash
fcash_(_at_)_ocis_(_dot_)_net
_______________________________________________
freebsd-isp_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe_(_at_)_freebsd_(_dot_)_org"