Date: Sat, 01 Feb 2003 14:38:25 +1300 From: Andrew Thompson <andy@fud.org.nz> To: stable@FreeBSD.ORG Subject: Re: IPF & IPFW Message-ID: <3E3B2511.6090009@fud.org.nz> In-Reply-To: <20030201011921.GE30498@blossom.cjclark.org> References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> <200301312317.10130.ianjhart@ntlworld.com> <20030201011921.GE30498@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote: >On Fri, Jan 31, 2003 at 11:17:10PM +0000, ian j hart wrote: > > >>On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: >> >> >>Thank you for the info. I guess it's OK that I forward >>this info to the maintainer of the above mentioned >>FAQ. >> >>regards >>Claus >> >> >>Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support p? >>http://dk.shopping.yahoo.com/pcsupport/index.html >> >> >>OTOH if you only need ipnat and not ipfilter you can do this... >> >>Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the ipfw rules. >> >>I use this to "fix-up" packet source addreses. >> >>e.g. (warning from memory) >>map rl0 from <my-ip>/32 to any port 25 -> <alias-ip>/32 >> >>So outgoing email traffic appears to come from the alias IP. >>[Don't ask, you don't want to know]. >> >> > >ipf(8) and ipnat(8) are the userland commands to interface with the >same code in the kernel. You can't separate them. If you define >IPFILTER in your kernel configuration, you get both, even if you only >use one. If you load ipf.ko, you get both, even if you use only one. >ipnat(8) occurs before ipfw(8) for incoming and after ipfw(8) for >outgoing whether or not you are using ipf(8) rules. > >Packets get passed to "IPFilter-in-the-kernel" (the kernel code that >both ipf(8) and ipnat(8) talk to) one place in ip_input.c and once in >ip_output.c. The only way to change that is modify the code in those >two. (Well, you might be able do do something with tunnels to get the >effects, but it's still true for each step of the tunnel(s).) > > Thanks everyone for your help, The bit I was having trouble with was doing two transparent proxies depending if the user had logged in or not, one to squid, the other to a static page telling them to log in. I have actually reworked my ipfw rules so I dont need ipf anymore and its all working. :) This thread can be dropped unless you all want to discuss the ordering more. IMHO Christ is right. Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3B2511.6090009>