Being a Linux user with virtually no BSD experience (firewalling in
particular), I have a few questions on how some "NAT-broken" protocols
work with ipfilter and its brethren.
Such things as H.323, FTP, IRC's DCC, and a plethora of other protocols
simply don't work when connections are initiated from behind a NAT
implementation. In the netfilter world, these connections are tracked
and fixed (mangled might be a better term) by additional netfilter
(well, kernel) modules. How do ipfilter, ipfw, and <BSD packet filter of
choice> deal with these issues? Do they simply not work at all? I pose
this question after attempting DCC connections after implementing
m0n0wall, and having them fail. Is this the reason passive FTP is used
when upgrading (my only experience with FTP upgrading has been through
the WAN interface, with necessary port maps set)?
My grasp of packet filtering from within FreeBSD is slippery at best,
and "completely non-existant" at worst. You be the judge :D
Can anyone set me straight on this?