[ previous ] [ next ] [ threads ]
 From:  Richard Morrell <dick at dickmorrell dot com>
 To:  Brian Z <mono at ricerage dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Silly questions stemming from BSD ignorance
 Date:  Sun, 18 Jan 2004 08:47:47 +0000 (GMT)
On Sat, 17 Jan 2004, Brian Z wrote:

> Hey all,
> Being a Linux user with virtually no BSD experience (firewalling in
> particular), I have a few questions on how some "NAT-broken" protocols
> work with ipfilter and its brethren.
> Such things as H.323, FTP, IRC's DCC, and a plethora of other protocols
> simply don't work when connections are initiated from behind a NAT
> implementation. In the netfilter world, these connections are tracked
> and fixed (mangled might be a better term) by additional netfilter
> (well, kernel) modules. How do ipfilter, ipfw, and <BSD packet filter of
> choice> deal with these issues? Do they simply not work at all? I pose
> this question after attempting DCC connections after implementing
> m0n0wall, and having them fail. Is this the reason passive FTP is used
> when upgrading (my only experience with FTP upgrading has been through
> the WAN interface, with necessary port maps set)? 
> My grasp of packet filtering from within FreeBSD is slippery at best,
> and "completely non-existant" at worst. You be the judge :D
> Can anyone set me straight on this?
> Brian


I had this for almost two years with early versions of SmoothWall, and it 
was a constant pain in the ass. There are "dns helpers" for Linux kernel 
that allow H323, and a lot of other services (PPTP, Quake etc etc). I 
don't know how this works with BSD but if M0n0Wall is to make huge inroads 
this has to be investigated.