From owner-freebsd-stable Fri Mar 9 7:19:53 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by hub.freebsd.org (Postfix) with ESMTP id 481B837B719 for ; Fri, 9 Mar 2001 07:19:50 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca17b-168.ix.netcom.com [204.32.29.168]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id KAA11636; Fri, 9 Mar 2001 10:19:38 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id F412D113E04; Fri, 9 Mar 2001 07:19:29 -0800 (PST) From: Mike Harding To: veldy@veldy.net Cc: arr@oceanwave.com, freebsd-stable@FreeBSD.ORG, christopher@schulte.org In-reply-to: <002f01c0a8a7$c3e9fb30$3028680a@tgt.com> (veldy@veldy.net) Subject: Re: 4.2-R, bridging and ipfilter References: <5.0.2.1.0.20010308160207.02762e18@pop.schulte.org> <002f01c0a8a7$c3e9fb30$3028680a@tgt.com> Message-Id: <20010309151929.F412D113E04@netcom1.netcom.com> Date: Fri, 9 Mar 2001 07:19:29 -0800 (PST) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG IPFILTER works great - we use it on a T1 at work for about 20 people for NAT and transparent squid proxying and it never hiccups and there is no noticeable load on the system. IPFW defaults to a 5 minute timeout on sessions, ipfilter to 5 _days_ so it behaves much more like what people expect. I suspect that ipfilter is used for more 'industrial strength' uses. Also, the NAT in ipfilter is kernel based so it's quite fast. - Mike H. From: "Thomas T. Veldhouse" Date: Fri, 9 Mar 2001 08:46:43 -0600 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-stable@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk IPFILTER is an alternative to IPFIREWALL. As far as I know, IPFILTER does not work on bridged packets -- so you can not firewall you LAN transparently using a IPFILTER bridge. IPFIREWALL does filter bridged packets. However, I don't believe the stateful rules processing is as robust. I was getting errors about too many states and such -- so I went back to IPFILTER using IPNAT (using bimap). Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Christopher Schulte" To: ; Sent: Thursday, March 08, 2001 4:03 PM Subject: Re: 4.2-R, bridging and ipfilter > At 04:48 PM 3/8/2001 -0500, arr@oceanwave.com wrote: > >Has anyone gotten bridging and ipfilter to work together with 4.2-R? > > Question: do you mean IPFIREWALL and bridging? > > If so, yes. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message