From owner-freebsd-stable Sun Dec 10 22:32: 8 2000 From owner-freebsd-stable@FreeBSD.ORG Sun Dec 10 22:32:02 2000 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from smtp1.cluster.oleane.net (smtp1.cluster.oleane.net [195.25.12.16]) by hub.freebsd.org (Postfix) with ESMTP id CF6B237B401 for ; Sun, 10 Dec 2000 22:32:01 -0800 (PST) Received: from diabolic-cow.chatgris.net (dyn-1-1-020.Orl.dialup.oleane.fr [195.25.26.20]) by smtp1.cluster.oleane.net with ESMTP id eBB6Vwd91551 for ; Mon, 11 Dec 2000 07:31:59 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id E3E0027D; Mon, 11 Dec 2000 07:22:44 +0100 (CET) Date: Mon, 11 Dec 2000 07:22:44 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-stable@freebsd.org Subject: Re: IPFIREWALL or IPFILTER? Message-ID: <20001211072244.H22773@diabolic-cow.chatgris.net> References: <00dd01c05e2e$e42a0700$0b6cffc8@infolink.com.br> <20001209112247.A22773@diabolic-cow.chatgris.net> <002301c062bd$2aeb0440$0b6cffc8@infolink.com.br> <20001210202817.C22773@diabolic-cow.chatgris.net> <20001210200204.I86825@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20001210200204.I86825@elvis.mu.org>; from billf@mu.org on Sun, Dec 10, 2000 at 08:02:04PM -0600 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 10, 2000 at 08:02:04PM -0600, Bill Fumerola wrote: > On Sun, Dec 10, 2000 at 08:28:17PM +0100, Rémi Guyomarch wrote: > > > Is there something like "block return-icmp-as-dest (port-unr) ..." in > > ipfw ? > > man ipfw It's not clear to me that wether ipfw returns an icmp with src == the firewall's ip or with src == the previous packet's destination ip. Ipf allow you to choose between return-icmp and return-icmp-as-dest. > > Is there a concept similiar to the head/group thing in ipfw ? > > After some research in ipf(5) as to what "the head/group thing" was, > it seems you could produce the same type of functionality with: [...the skipto keyword...] > > The only thing different from ipf/ipfw is that ipf seems to use > its own namespace for such things, while ipfw abuses rule numbering. Yes, ipfw abuses rule numbering. Things will get a bit complex with ipfw if you want to emulate something like that : block in proto proto tcp from any to any head 10 block in proto proto udp from any to any head 20 block in proto proto icmp from any to any head 30 [...group 10...] [...group 20...] [...group 30...] [...some other rules...] Without 'quick' in 'head' rules, ipf will process the entiere group 10 rules, and will continue with the next, non-group rule (the first rule in [...some other rules...]). Yes, you can achieve the same thing with 'skipto' but at some point you will start to have troubles managing rules numbering... > > Can you save/restore to/from disk filter and NAT state entries ? > > for filters: > man vi Do you mean you can export dynamic rules with ipfw, write them to a file and reload them later ? > for state entries: > no > > > Can you redirect traffic to many internal boxes with a round-robin > > mechanism ? > > man natd Yes, I browsed natd(8) a bit too fast. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message