FreeBSD kernel nat or natd

firewallfreebsd

As I notice more often with FreeBSD, there are always plenty of ways that lead to some specific goal.

After figuring out which firewall I wanted (I choose ipfw) I now am completely insecure about which way to do Network Address Translation (NAT).

As I have discovered now, there are two ways to to NAT, I could use the kernel space ipfw nat or I could use the userspace natd.

The only one of these described in the FreeBSD handbook is natd.

What I would like to know is what the main differences are between these? Which one is more popular.

Off course I would also like to be able to fish, so how I can find out these differences in the manuals/handbooks?

Best Answer

ipfw nat is generally preferable, since it runs in kernel-space and consumes less CPU than divert+natd. But natd still can be useful if you need to dynamically add rules for FTP connections (look for -punch_fw option in natd(8)). Handbook page is badly outdated.

Related Solutions

FreeBSD + ZFS + Encryption? Alternatives? Suggestions

You should be able to use one of the geom providers for encryption with ZFS, but you should encrypt the devices below the ZFS. I'd probably setup geli and then make a gpt partition inside of type freebsd-zfs and then go from there.

I recommend you actually test both solutions (freebsd and linux) and decide based on sys admin time and performance which makes sense for you.

Freebsd – How to create a FreeBSD ISO with mkisofs that will boot in VirtualBox under UEFI

The problem is not in the filesystem content but in the boot records and partitions:


$ xorriso -indev FreeBSD-12.0-RELEASE-amd64-bootonly.iso -report_el_torito plain -report_system_area plain
...
libisofs: WARNING : Found hidden El-Torito image. Its size could not be figured out, so image modify or boot image patching may lead to bad results.
libisofs: NOTE : Found hidden El-Torito image for EFI.
libisofs: NOTE : EFI image start and size: 20 * 2048 , 1600 * 512
...
Boot record  : El Torito , MBR protective-msdos-label cyl-align-off GPT
...
El Torito catalog  : 19  1
El Torito images   :   N  Pltf  B   Emul  Ld_seg  Hdpt  Ldsiz         LBA
El Torito boot img :   1  BIOS  y   none  0x0000  0x00      4         420
El Torito boot img :   2  UEFI  y   none  0x0000  0x00   1600          20
El Torito img blks :   1  1204
El Torito img blks :   2  400
System area options: 0x00000201
System area summary: MBR protective-msdos-label cyl-align-off GPT
ISO image size/512 : 675508
Partition offset   : 0
MBR heads per cyl  : 0
MBR secs per head  : 0
MBR partition table:   N Status  Type        Start       Blocks
MBR partition      :   1   0x00  0xee            1       676107
GPT                :   N  Info
GPT backup problems:      Not a GPT 1.0 header of 92 bytes for 128 bytes per entry
GPT disk GUID      :      7ce0bf52def9e8118c360cc47ad8b808
GPT entry array    :      2  2  separated
GPT lba range      :      3  676105  676107
GPT partition name :   1  
GPT partition GUID :   1  6de0bf52def9e8118c360cc47ad8b808
GPT type GUID      :   1  28732ac11ff8d211ba4b00a0c93ec93b
GPT partition flags:   1  0x0000000000000000
GPT start and size :   1  80  1600
GPT partition name :   2  
GPT partition GUID :   2  73e0bf52def9e8118c360cc47ad8b808
GPT type GUID      :   2  9d6bbd83417fdc11be0b001560b84f0f
GPT partition flags:   2  0x0000000000000000
GPT start and size :   2  3  29

Both, the BIOS boot image and the EFI System Partition are not files in the ISO but rather unnamed block areas.

If you don't go the way of appending a session by fixed growisofs or by


cp FreeBSD-12.0-RELEASE-amd64-bootonly.iso new.iso
xorriso -boot_image any keep \
        -dev new.iso \
        -map /path/to/your_installerconfig /etc/installerconfig
        [other -map commands for files or directory trees ...]

then you need to extract those areas


dd if=FreeBSD-12.0-RELEASE-amd64-bootonly.iso bs=512 skip=80 count=1600 \
   of=efi_part.img
dd if=FreeBSD-12.0-RELEASE-amd64-bootonly.iso bs=512 skip=1680 count=4816 \
   of=bios_boot.img

(El Torito gives LBAs in blocks of 2048 but sizes in blocks of 512. 4 * 420 = 1680. The BIOS image size of 1204 blocks of 2048 bytes is estimated by the lowest filesystem object LBA that's above 420. Possibly it is smaller but any oversize should not harm.)

Then there is the MBR code for BIOS booting from USB stick:


dd if=FreeBSD-12.0-RELEASE-amd64-bootonly.iso bs=1 count=446 \
   of=mbr_code.img

If you do not plan to boot by BIOS, then bios_boot.img and mbr_code.img are not needed.

Building a new ISO from unpacked and mainpulated tree $HOME/files_for_iso and the extracted image files


xorriso -as mkisofs \
        -o new.iso \
        -d -l -r \
        -V "12_0_RELEASE_AMD64_BO" \
        -G mbr_code.img \
        -b /bios_boot.img \
           -no-emul-boot -boot-load-size 4 \
        -eltorito-alt-boot \
        -append_partition 2 0xef efi_part.img \
        -e '--interval:appended_partition_2:all::' \
           -no-emul-boot \
        bios_boot.img $HOME/files_for_iso

This will yield no GPT but rather an MBR partition table with two partitions of type 0x83 for the ISO filesystem and 0xef for the EFI System Partition.

(Whether BIOS boots from USB stick would have to be tested. Many MBRs need info patched in to find the next stage of boot programs.)

Best Answer

Related Solutions

FreeBSD + ZFS + Encryption? Alternatives? Suggestions

Freebsd – How to create a FreeBSD ISO with mkisofs that will boot in VirtualBox under UEFI

Related Question