From owner-freebsd-questions  Sat Mar 11  6: 0:13 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from nscache2.x-treme.gr (mail1.x-treme.gr [212.120.196.23])
	by hub.freebsd.org (Postfix) with ESMTP id 94EA537BBDB
	for <freebsd-questions@freebsd.org>; Sat, 11 Mar 2000 05:59:59 -0800 (PST)
	(envelope-from keramida@ceid.upatras.gr)
Received: from hades.hell.gr (pat3.x-treme.gr [212.120.197.195])
	by nscache2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with SMTP id PAA04413
	for <freebsd-questions@freebsd.org>; Sat, 11 Mar 2000 15:59:49 +0200
Received: (qmail 90562 invoked by uid 1001); 11 Mar 2000 02:52:17 -0000
Date: Sat, 11 Mar 2000 04:52:17 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Ben H <bens_lists@mailandnews.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: Using IPFILTER
Message-ID: <20000311045217.A90301@hades.hell.gr>
Reply-To: keramida@ceid.upatras.gr
References: <20000307230057.A1357@lust.poo.pants>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <20000307230057.A1357@lust.poo.pants>; from bens_lists@mailandnews.com on Tue, Mar 07, 2000 at 11:00:57PM +0000
X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06  D6 21 2A C8 8C 16 C0 8E
X-Phone-Number: +30-94-6203692, +30-93-2886457
X-Address: Theodorou Kirinaiou 61, 26334 Patra, Greece
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

[ moved to -questions, where it fits better than -security ]

On Tue, Mar 07, 2000 at 11:00:57PM +0000, Ben H wrote:

> i (like im sure many) would like to use IPFILTER (ipf, ipnat) instead
> of/aswell as IPFIREWALL (ipf, natd). and i cant get it working.
> 
> my KERNEL (well some of it) looks like:
> 
> options         IPFIREWALL              #firewall
> options         IPFIREWALL_VERBOSE      #print information about stuff
> options         IPFIREWALL_FORWARD      #enable transparent proxy support
> options         IPDIVERT                #divert sockets

You can safely remove _all_ these options, if you're not going to use
ipfw.  But see below...

> options         IPFILTER                #kernel ipfilter support
> options         IPFILTER_LOG            #ipfilter logging
> options         IPSTEALTH               #support for stealth forwarding

These are exactly the options I use for my ipf/ipnat kernel.

> options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
> options         TCP_RESTRICT_RST        #restrict emission of TCP RST
> options         "ICMP_BANDLIM"                  #Limit icmp bandywitdh

I dunno about these.  I've used them with IPFILTER, and they seem to
work for me, without enabling IPFIREWALL too.

-- 
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
For my public PGP key: finger keramida@diogenis.ceid.upatras.gr
PGP fingerprint, phone and address in the headers of this message.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message