From owner-freebsd-current@FreeBSD.ORG Thu Aug 3 15:29:52 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5C8B16A4DA for ; Thu, 3 Aug 2006 15:29:52 +0000 (UTC) (envelope-from fcash@ocis.net) Received: from enterprise.sd73.bc.ca (fax.sd73.bc.ca [142.24.13.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACF5C43D45 for ; Thu, 3 Aug 2006 15:29:52 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from webmail.sd73.bc.ca (unknown [10.10.10.17]) by enterprise.sd73.bc.ca (Postfix) with ESMTP id D432D14000862 for ; Thu, 3 Aug 2006 07:19:37 -0700 (PDT) Received: from webmail.sd73.bc.ca (localhost.localdomain [127.0.0.1]) by webmail.sd73.bc.ca (Postfix) with ESMTP id C50B79000616 for ; Thu, 3 Aug 2006 08:29:47 -0700 (PDT) Received: from 192.168.0.10 (SquirrelMail authenticated user fcash) by webmail.sd73.bc.ca with HTTP; Thu, 3 Aug 2006 08:29:47 -0700 (PDT) Message-ID: <59004.192.168.0.10.1154618987.squirrel@webmail.sd73.bc.ca> In-Reply-To: <44D1473F.1000204@elischer.org> References: <44D1473F.1000204@elischer.org> Date: Thu, 3 Aug 2006 08:29:47 -0700 (PDT) From: "Freddie Cash" To: current@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: ipfw output FWD broken on 6.1 and newer? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fcash@ocis.net List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2006 15:29:53 -0000 On Wed, August 2, 2006 5:45 pm, Julian Elischer wrote: > I haven't tried 7.x yet but has anyone seen > the FWD command of ipfw running on 6.1? > > or anyone know of problems with it that may have been fixed on > -current? It's working fine for us here. Been using the same kernel config file (with the needed changes from 4.x to 5.x to 6.x) and ruleset on our firewalls. They started life as FreeBSD 4.2 boxes, were upgraded through to 4.11, and then re-installed with 6.0 and finally upgraded to 6.1. The kernel config section for our firewall kernels is just: # Firewall options options IPSTEALTH options IPDIVERT options DUMMYNET options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=500 options IPFIREWALL_DEFAULT_TO_ACCEPT We used fwd rules a lot for our VPN links between schools, and a couple of sites use them for trasparent proxying using squid+dansguardian. Haven't had any issues so far. We've never included the _EXTENDED option, nor really seen a need for it (or a problem without it). HTH, ---- Freddie Cash fcash@ocis.net