From owner-freebsd-stable Fri Jan 31 17:38:20 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D8F537B401 for ; Fri, 31 Jan 2003 17:38:18 -0800 (PST) Received: from smtp.fud.org.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id E90CF43F93 for ; Fri, 31 Jan 2003 17:38:15 -0800 (PST) (envelope-from andy@fud.org.nz) Received: from fud.org.nz (unknown [192.168.1.9]) by smtp.fud.org.nz (Postfix) with ESMTP id 2968F96 for ; Sat, 1 Feb 2003 14:45:19 +1300 (NZDT) Message-ID: <3E3B2511.6090009@fud.org.nz> Date: Sat, 01 Feb 2003 14:38:25 +1300 From: Andrew Thompson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20030123 X-Accept-Language: en-us, en MIME-Version: 1.0 To: stable@FreeBSD.ORG Subject: Re: IPF & IPFW References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> <200301312317.10130.ianjhart@ntlworld.com> <20030201011921.GE30498@blossom.cjclark.org> In-Reply-To: <20030201011921.GE30498@blossom.cjclark.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Crist J. Clark wrote: >On Fri, Jan 31, 2003 at 11:17:10PM +0000, ian j hart wrote: > > >>On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: >> >> >>Thank you for the info. I guess it's OK that I forward >>this info to the maintainer of the above mentioned >>FAQ. >> >>regards >>Claus >> >> >>Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support p? >>http://dk.shopping.yahoo.com/pcsupport/index.html >> >> >>OTOH if you only need ipnat and not ipfilter you can do this... >> >>Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the ipfw rules. >> >>I use this to "fix-up" packet source addreses. >> >>e.g. (warning from memory) >>map rl0 from /32 to any port 25 -> /32 >> >>So outgoing email traffic appears to come from the alias IP. >>[Don't ask, you don't want to know]. >> >> > >ipf(8) and ipnat(8) are the userland commands to interface with the >same code in the kernel. You can't separate them. If you define >IPFILTER in your kernel configuration, you get both, even if you only >use one. If you load ipf.ko, you get both, even if you use only one. >ipnat(8) occurs before ipfw(8) for incoming and after ipfw(8) for >outgoing whether or not you are using ipf(8) rules. > >Packets get passed to "IPFilter-in-the-kernel" (the kernel code that >both ipf(8) and ipnat(8) talk to) one place in ip_input.c and once in >ip_output.c. The only way to change that is modify the code in those >two. (Well, you might be able do do something with tunnels to get the >effects, but it's still true for each step of the tunnel(s).) > > Thanks everyone for your help, The bit I was having trouble with was doing two transparent proxies depending if the user had logged in or not, one to squid, the other to a static page telling them to log in. I have actually reworked my ipfw rules so I dont need ipf anymore and its all working. :) This thread can be dropped unless you all want to discuss the ordering more. IMHO Christ is right. Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message