From owner-freebsd-stable Mon Mar 12 8:26:11 2001 Delivered-To: freebsd-stable@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 283F537B718 for ; Mon, 12 Mar 2001 08:26:06 -0800 (PST) (envelope-from veldy@veldy.net) Received: from cascade (cascade.veldy.net [192.168.0.1]) by veldy.net (Postfix) with SMTP id 87596BA0A; Mon, 12 Mar 2001 10:25:19 -0600 (CST) Message-ID: <005901c0ab10$ef3f8dc0$0100a8c0@cascade> From: "Thomas T. Veldhouse" To: "Mike Harding" Cc: , , References: <5.0.2.1.0.20010308160207.02762e18@pop.schulte.org> <002f01c0a8a7$c3e9fb30$3028680a@tgt.com> <20010309151929.F412D113E04@netcom1.netcom.com> Subject: Re: 4.2-R, bridging and ipfilter Date: Mon, 12 Mar 2001 10:24:38 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG NAT is not bridging. IPFILTER does not work with bridging -- you will not protect packets flowing through a bridge, only the local machine. IPFIREWALL will filter bridged packets. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Mike Harding" To: Cc: ; ; Sent: Friday, March 09, 2001 9:19 AM Subject: Re: 4.2-R, bridging and ipfilter > > IPFILTER works great - we use it on a T1 at work for about 20 people > for NAT and transparent squid proxying and it never hiccups and there > is no noticeable load on the system. IPFW defaults to a 5 minute > timeout on sessions, ipfilter to 5 _days_ so it behaves much more like > what people expect. I suspect that ipfilter is used for more > 'industrial strength' uses. > > Also, the NAT in ipfilter is kernel based so it's quite fast. > > - Mike H. > > From: "Thomas T. Veldhouse" > Date: Fri, 9 Mar 2001 08:46:43 -0600 > Content-Type: text/plain; > charset="iso-8859-1" > X-Priority: 3 > X-MSMail-Priority: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 > Sender: owner-freebsd-stable@FreeBSD.ORG > X-Loop: FreeBSD.ORG > Precedence: bulk > > IPFILTER is an alternative to IPFIREWALL. As far as I know, IPFILTER does > not work on bridged packets -- so you can not firewall you LAN transparently > using a IPFILTER bridge. IPFIREWALL does filter bridged packets. However, > I don't believe the stateful rules processing is as robust. I was getting > errors about too many states and such -- so I went back to IPFILTER using > IPNAT (using bimap). > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Christopher Schulte" > To: ; > Sent: Thursday, March 08, 2001 4:03 PM > Subject: Re: 4.2-R, bridging and ipfilter > > > > At 04:48 PM 3/8/2001 -0500, arr@oceanwave.com wrote: > > >Has anyone gotten bridging and ipfilter to work together with 4.2-R? > > > > Question: do you mean IPFIREWALL and bridging? > > > > If so, yes. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message