From owner-freebsd-net@FreeBSD.ORG Thu Jul 29 07:45:45 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C9E916A4D1 for ; Thu, 29 Jul 2004 07:45:45 +0000 (GMT) Received: from mailq1.openaccess.org (nms.openaccess.org [216.57.214.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7995243D46 for ; Thu, 29 Jul 2004 07:45:45 +0000 (GMT) (envelope-from michael@staff.openaccess.org) Received: from [192.168.1.244] (merlin.corp.geminisolutions.com [216.57.214.111]) by mailq1.openaccess.org (Postfix) with ESMTP id 6F27F4370; Thu, 29 Jul 2004 00:45:43 -0700 (PDT) In-Reply-To: <20040728232352.GB8838@tuileries.epita.fr> References: <41081955.5090204@schluting.com> <20040728232352.GB8838@tuileries.epita.fr> Mime-Version: 1.0 (Apple Message framework v618) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <52E06F6C-E133-11D8-A60F-000A95CE3376@staff.openaccess.org> Content-Transfer-Encoding: 7bit From: Michael DeMan Date: Thu, 29 Jul 2004 00:45:55 -0700 To: Jeremie Le Hen X-Mailer: Apple Mail (2.618) cc: freebsd-net@freebsd.org cc: Charlie Schluting Subject: Re: packet order, ipf or ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2004 07:45:45 -0000 Hi, We're actually planning to migrate to PF instead of IPF+IPFW to meet these needs. IPFW from what I've gathered over the past few years is the traditional FreeBSD way of handling firewalls, nat and bandwidth limiting. We found IPFW a little complex to use, granted very powerful. We ended up with needing to deliver and support a good number of 'machines', and total cost of ownership became important. Both in terms of automated and traditional management of deployments. Our plan for when 5-STABLE comes out is to migrate to PF directly (yes, risk, yes we're a small business) and expect it to perform quite well and give us a unified and clearer way in terms of config-files to manage firewall, NAT and QoS issues. I would at least read the OpenBSD docs on PF and check them out. Darren Reed has done a wonderful job with IPF and the latest code clean up is very nice as well, but PF is far superior, at least in regards to manageability. - mike On Jul 28, 2004, at 4:23 PM, Jeremie Le Hen wrote: > Hello Charlie, > >> I'm running ipf because I like it ...but now I need to use ipfw's pipe >> feature. I was thinking that I could just run both, and keep all my >> rules in ipf, then in ipfw: limit bandwidth for a few vlans, then >> allow all. >> >> It didn't work (no rate-limiting happened).. and I'm thinking that ipf >> is passing the packets and bypassing ipfw? Or something.. >> >> So, what is the order, if I'm running ipf AND ipfw at the same time? >> Will it work at all in this manner? > > Max Laier told you about FreeBSD 5.x which includes PFIL_HOOKS, but > since you did not mention whether you are using -STABLE or -CURRENT. > AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE, > and this is of course symmetric for outgoing ones. > > But you should be warned that using ipnat(8) in conjunction to ipfw > pipes may lead to an incorrect behaviour : > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685 > > Hackers, is this bug still alive in -CURRENT ? > > Best regards, > -- > Jeremie LE HEN aka TtZ/TataZ > jeremie.le-hen@epita.fr > > ttz@epita.fr > Hi! I'm a .signature virus! Copy me into your ~/.signature to help me > spread! > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > Michael F. DeMan Director of Technology OpenAccess Network Services Bellingham, WA 92825 michael@staff.openaccess.org 360-647-0785