From owner-freebsd-stable Fri Jan 31 17:19:29 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94D7637B401 for ; Fri, 31 Jan 2003 17:19:26 -0800 (PST) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD46143F43 for ; Fri, 31 Jan 2003 17:19:25 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <2003020101192400300jth5ve>; Sat, 1 Feb 2003 01:19:25 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h111JNeq032030; Fri, 31 Jan 2003 17:19:23 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h111JLik032029; Fri, 31 Jan 2003 17:19:21 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 31 Jan 2003 17:19:21 -0800 From: "Crist J. Clark" To: ian j hart Cc: Claus Guttesen , stable@FreeBSD.ORG Subject: Re: IPF & IPFW Message-ID: <20030201011921.GE30498@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> <200301312317.10130.ianjhart@ntlworld.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200301312317.10130.ianjhart@ntlworld.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jan 31, 2003 at 11:17:10PM +0000, ian j hart wrote: > On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: > > Hi. > > > > > Guttesen wrote: > > > > You may wish to read > > > > http://home.earthlink.net/~jaymzh666/ipf/IPFfreebsd.html#14. > > > > > > This explains in what order ipf and ipfw is > > > > > > loaded. > > > > > > > If you want to let ipfw to process the ip-packet > > > > first, you can remove ipfilter from the kernel and > > > > load it as a module instead. This should solve > > > > > > your > > > > > > > problem. > > > > > > Nuh-uh. The hooks for ipf(8) and ipfw(8) always are > > > in the same place > > > in ip_input.c and ip_output.c. The order of loading > > > modules has no > > > impact. > > > > > > To the original poster, there is nothing you can do > > > short of hacking > > > ip_input.c and ip_output.c to fit your designs. But > > > you are perfectly > > > free to do it if you'd like. (Ain't open source and > > > BSD licenses > > > great?) > > > -- > > > > Thank you for the info. I guess it's OK that I forward > > this info to the maintainer of the above mentioned > > FAQ. > > > > regards > > Claus > > > > > > Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support p? > > http://dk.shopping.yahoo.com/pcsupport/index.html > > OTOH if you only need ipnat and not ipfilter you can do this... > > Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the ipfw rules. > > I use this to "fix-up" packet source addreses. > > e.g. (warning from memory) > map rl0 from /32 to any port 25 -> /32 > > So outgoing email traffic appears to come from the alias IP. > [Don't ask, you don't want to know]. ipf(8) and ipnat(8) are the userland commands to interface with the same code in the kernel. You can't separate them. If you define IPFILTER in your kernel configuration, you get both, even if you only use one. If you load ipf.ko, you get both, even if you use only one. ipnat(8) occurs before ipfw(8) for incoming and after ipfw(8) for outgoing whether or not you are using ipf(8) rules. Packets get passed to "IPFilter-in-the-kernel" (the kernel code that both ipf(8) and ipnat(8) talk to) one place in ip_input.c and once in ip_output.c. The only way to change that is modify the code in those two. (Well, you might be able do do something with tunnels to get the effects, but it's still true for each step of the tunnel(s).) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message