On Mon, Oct 23, 2006 at 12:50:05PM -0600, Brett Glass wrote:
> At 10:21 PM 10/21/2006, Julian Elischer wrote:
>
> >OR in 7.0 you can call netgraph directly
> >
> >there is a netgraph keyword in ipfw.
>
> I just took a look at that. Could work, except that the ng_nat
> Netgraph node only does ver
At 10:21 PM 10/21/2006, Julian Elischer wrote:
OR in 7.0 you can call netgraph directly
there is a netgraph keyword in ipfw.
I just took a look at that. Could work, except that the ng_nat
Netgraph node only does very basic NAT. One can't do static NAT,
and none of natd's other options are a
On 10/22/06, Vladimir Grebenschikov <[EMAIL PROTECTED]> wrote:
В сб, 21/10/2006 в 16:08 -0600, Brett Glass пишет:
> At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote:
>
> > 1. use PF for nat - it does aliasing in kernel space
>
> True, but it doesn't let me translate the packets and
> then con
В сб, 21/10/2006 в 16:08 -0600, Brett Glass пишет:
> At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote:
>
> > 1. use PF for nat - it does aliasing in kernel space
>
> True, but it doesn't let me translate the packets and
> then continue processing within the firewall -- which
> is necessary i
At 10:21 PM 10/21/2006, Julian Elischer wrote:
>you can in two ways..
>
>create a netgraph ksocket node of type divert
>then attach that to a netgraph ng_nat node.
>
>OR in 7.0 you can call netgraph directly
>
>there is a netgraph keyword in ipfw.
How would one create and control the ng_nat node
On Sat, Oct 21, 2006 at 04:58:08AM -0500, Matthew D. Fuller wrote:
> On Sat, Oct 21, 2006 at 12:47:54AM -0600 I heard the voice of
> Brett Glass, and lo! it spake thus:
> >
> > How can I replace just the functionality of natd without moving to
> > an entirely new firewall? Can I still select which
Brett Glass wrote:
At 09:50 PM 10/21/2006, Julian Elischer wrote:
one thing that you need to name sure of is that only the packets that
have potential of being on interest to natd are passed to natd.
I do. In fact, this is a capability I would lose if I used ipfilters or
pf to do NAT, which
At 09:50 PM 10/21/2006, Julian Elischer wrote:
one thing that you need to name sure of is that only the packets
that have potential of being on interest to natd are passed to natd.
I do. In fact, this is a capability I would lose if I used
ipfilters or pf to do NAT, which is why I want to fin
Brett Glass wrote:
I'm working with a FreeBSD-based router that's using IPFW for policy
routing, traffic shaping, and transparent proxying and natd for network
address translation. IPFW does these things pretty well (in fact, I
don't know if another firewall, like pf, could even do some of thes
On Sat, Oct 21, 2006 at 03:54:06PM -0600 I heard the voice of
Brett Glass, and lo! it spake thus:
>
> Also, more than once I've locked myself out of a machine when trying
> to restart NAT with a different configuration;
The trick I've adopted for this is to have allow rules for port 22
both direc
At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote:
> 1. use PF for nat - it does aliasing in kernel space
True, but it doesn't let me translate the packets and
then continue processing within the firewall -- which
is necessary if you want to catch unregistered destination
addresses BEFORE tra
At 03:58 AM 10/21/2006, Matthew D. Fuller wrote:
>Paolo Pisati's 2005 SoC work on integrating libalias into ipfw might
>fit here. It should move the NAT'ing into the kernel and save all the
>context switches and copies, and (what has me more interested) make it
>much easier to change port forwar
Chris Bowman wrote:
Correction! I apologize, only noticed after I sent, obviously. Anywhere
I typed /usr/sbin please replace with /sbin only in this case..Sorry ;)
Namely where I said /usr/sbin/natd should be /sbin/natd ...
Fantastic, this seems to have not hurt any ;)
Thanks for the info. N
On Sat, Oct 21, 2006 at 02:50:31PM +0400, Anton Yuzhaninov wrote:
> 1. libalias allocate memory for create each new entry in NAT table.
>libalias use linear search in linked list to find entry in table.
>It very slow when you have thousands simultaneous connections via
>nat
In RELENG_
Correction! I apologize, only noticed after I sent, obviously. Anywhere
I typed /usr/sbin please replace with /sbin only in this case..Sorry ;)
Namely where I said /usr/sbin/natd should be /sbin/natd ...
On Sat, 2006-10-21 at 09:23 -0500, Chris Bowman wrote:
> First, sorry for the double post,
First, sorry for the double post, received a message saying the first
one was rejected by a spam filter, however I now see it's on the
list! ;)
Of course you may ask for more help! First, take advantage of what's
out there, people have written some absolutely great documentation,
including the Fr
Chris Bowman <[EMAIL PROTECTED]> wrote:
> I see this question come up now and then on the lists, so, I'll share
> what I've learned about natd and performance! First, if your running
> natd on a processor which supports more functions than just a standard
> 386, ie a Pentium, Athlon, etc.
Chris Bowman wrote:
I see this question come up now and then on the lists, so, I'll share
what I've learned about natd and performance! First, if your running
natd on a processor which supports more functions than just a standard
386, ie a Pentium, Athlon, etc. Then I've found compiling nat
I see this question come up now and then on the lists, so, I'll share what
I've learned about natd and performance! First, if your running natd on a
processor which supports more functions than just a standard 386, ie a
Pentium, Athlon, etc. Then I've found compiling natd with make flags for
th
I see this question come up now and then on the lists, so, I'll share
what I've learned about natd and performance! First, if your running
natd on a processor which supports more functions than just a standard
386, ie a Pentium, Athlon, etc. Then I've found compiling natd with
make flags fo
On Sat, Oct 21, 2006 at 12:47:54AM -0600 I heard the voice of
Brett Glass, and lo! it spake thus:
>
> How can I replace just the functionality of natd without moving to
> an entirely new firewall? Can I still select which packets are
> routed to the NAT engine, and when this occurs during the proce
В сб, 21/10/2006 в 00:47 -0600, Brett Glass пишет:
> I'm working with a FreeBSD-based router that's using IPFW for
> policy routing, traffic shaping, and transparent proxying and natd
> for network address translation. IPFW does these things pretty well
> (in fact, I don't know if another firewa
In that situation I have used IPFW for filtering and IPF for doing NAT.
But NAT is in it's nature a very processor and memory intensive process,
I wouldn't recommend to anyone to run NAT if they have more than
10Mb bandwidth and more than 100 nodes on their network.
Baldur
On Sat, Oct 21, 2006 at
23 matches
Mail list logo
