On Sat, 17 Jan 2004, Brian Z wrote:
> Hey all,
> Being a Linux user with virtually no BSD experience (firewalling in
> particular), I have a few questions on how some "NAT-broken" protocols
> work with ipfilter and its brethren.
> Such things as H.323, FTP, IRC's DCC, and a plethora of other protocols
> simply don't work when connections are initiated from behind a NAT
> implementation. In the netfilter world, these connections are tracked
> and fixed (mangled might be a better term) by additional netfilter
> (well, kernel) modules. How do ipfilter, ipfw, and <BSD packet filter of
> choice> deal with these issues? Do they simply not work at all? I pose
> this question after attempting DCC connections after implementing
> m0n0wall, and having them fail. Is this the reason passive FTP is used
> when upgrading (my only experience with FTP upgrading has been through
> the WAN interface, with necessary port maps set)?
> My grasp of packet filtering from within FreeBSD is slippery at best,
> and "completely non-existant" at worst. You be the judge :D
> Can anyone set me straight on this?
I had this for almost two years with early versions of SmoothWall, and it
was a constant pain in the ass. There are "dns helpers" for Linux kernel
that allow H323, and a lot of other services (PPTP, Quake etc etc). I
don't know how this works with BSD but if M0n0Wall is to make huge inroads
this has to be investigated.