From owner-freebsd-questions Fri Oct 12 8:18:34 2001 Delivered-To: freebsd-questions@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id C834637B405; Fri, 12 Oct 2001 08:18:27 -0700 (PDT) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id E1D7EBAC4; Fri, 12 Oct 2001 10:18:25 -0500 (CDT) Message-ID: <010001c15331$23f1da00$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Alfatrion" , "Maine LOA List Admin (Brent Bailey)" Cc: "Hartmann, O." , , References: <20011012154307.O52936-100000@klima.physik.uni-mainz.de> <003601c15328$db264480$24b4a8c0@pretorian> <3BC700CE.8000201@cybertron.tmfweb.nl> Subject: Re: IPFW or IPFILTER? Date: Fri, 12 Oct 2001 10:18:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ipfw add check-state . . . ipfw add pass tcp from any to any via tun0 out keep-state However, if you plan to use NAT, I highly recommend IPFilter -- it is "in kernel", so there is not a transition from kernel -> userland -> kernel. Also, natd is quirky and can cause "failed to write back packet" (IIRC) when not configured "perfectly". The samples in the /etc/rc.firewall file cause this error message. Tom Veldhouse veldy@veldy.net > I find IPF more configurable as IPFW. I don't know how to do the > folowing in IPFW: pass out quick on tun0 proto tcp from any to any keep > state. > > Alex > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message