From owner-freebsd-hackers@FreeBSD.ORG Thu Dec 4 12:16:21 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D0E816A4CE for ; Thu, 4 Dec 2003 12:16:21 -0800 (PST) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F75743FA3 for ; Thu, 4 Dec 2003 12:16:20 -0800 (PST) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 2C6CB153AA1; Thu, 4 Dec 2003 10:16:16 -1000 (HST) Date: Thu, 4 Dec 2003 10:16:14 -1000 From: Clifton Royston To: freebsd-hackers@freebsd.org Message-ID: <20031204101614.B2891@tikitechnologies.com> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20031204200047.17CF816A4F6@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031204200047.17CF816A4F6@hub.freebsd.org>; 12:00:47PM -0800 Subject: Re: IPFW and the IP stack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 20:16:21 -0000 On Thu, Dec 04, 2003 at 12:00:47PM -0800, freebsd-hackers-request@freebsd.org wrote: > From: Robert Watson > Subject: Re: IPFW and the IP stack > To: "Devon H.O'Dell" > Cc: freebsd-hackers@freebsd.org > > On Thu, 4 Dec 2003, Devon H.O'Dell wrote: > > > This is obviously the most logical explanation. There's a good bit of > > questioning for PFIL_HOOKS to be enabled in generic to allow ipf to be > > loaded as a module as well. If this is the case, we'll have two > > firewalls that have their hooks compiled in by default allowing for them > > both to be loaded as modules. (Is this still scheduled for 5.2?) > > > > But at this point, there's no way to allow one to turn the IPFW hooks > > *off*. Is there a reason for this? > > > > Would it be beneficial (or possible) to hook ipfw into pfil(9)? This > > way, we could allow the modules to be loaded by default for both and > > also allow for the total absence of both in the kernel. Sorry if I've > > missed discussions on this and am being redundant. > > Sam Leffler has done a substantial amount of work to push all of the > various "hacks"" (features?) behind PFIL_HOOKS, and I anticipate we'll > ship PFIL_HOOKS enabled in GENERIC in 5.3 and use it to plug in most of > these services. This also means packages like IPFilter and PF will work > "out of the box" without a kernel recompile, not to mention offering > substantial architectural cleanup. While we're on the subject of IPFilter, has anyone gotten it to work correctly on FreeBSD-stable to filter bridged packets in a bridged configuration? I have a 4.8p13 kernel compiled with bridging and IPF, and running a ruleset that was working under an old OpenBSD install for a "transparent firewall". IPF with bridging can be turned on with "sysctl net.link.ether.bridge_ipf=1" but my testing and examination of the logged stats so far *seems* to show that it's both failing to firewall connections to the other hosts that it's bridging to, and blocking some connections to itself that it should accept. I haven't started tcpdumping yet to see what's really going on in terms of where the packets are going and not going. I suppose it may be that this is too weird a configuration to be supported, but I had hoped it would work on FreeBSD since I had had it running fine under OpenBSD 2.6 for several years. -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss