From owner-freebsd-stable Fri Jan 31 15:17:16 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C365437B401; Fri, 31 Jan 2003 15:17:13 -0800 (PST) Received: from pc3-cove2-3-cust146.brhm.cable.ntl.com (pc3-cove2-3-cust146.brhm.cable.ntl.com [80.4.75.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 749B043F43; Fri, 31 Jan 2003 15:17:12 -0800 (PST) (envelope-from ianjhart@ntlworld.com) Received: from alpha.private.lan (alpha.private.lan [192.168.0.2]) by pc3-cove2-3-cust146.brhm.cable.ntl.com (8.12.6/8.12.6) with ESMTP id h0VNHAuU021439; Fri, 31 Jan 2003 23:17:10 GMT (envelope-from ianjhart@ntlworld.com) From: ian j hart To: Claus Guttesen , "Crist J. Clark" Subject: Re: IPF & IPFW Date: Fri, 31 Jan 2003 23:17:10 +0000 User-Agent: KMail/1.5 Cc: stable@FreeBSD.ORG References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> In-Reply-To: <20030131222558.61732.qmail@web14105.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200301312317.10130.ianjhart@ntlworld.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: > Hi. > > > Guttesen wrote: > > > You may wish to read > > http://home.earthlink.net/~jaymzh666/ipf/IPFfreebsd.html#14. > > > > This explains in what order ipf and ipfw is > > > > loaded. > > > > > If you want to let ipfw to process the ip-packet > > > first, you can remove ipfilter from the kernel and > > > load it as a module instead. This should solve > > > > your > > > > > problem. > > > > Nuh-uh. The hooks for ipf(8) and ipfw(8) always are > > in the same place > > in ip_input.c and ip_output.c. The order of loading > > modules has no > > impact. > > > > To the original poster, there is nothing you can do > > short of hacking > > ip_input.c and ip_output.c to fit your designs. But > > you are perfectly > > free to do it if you'd like. (Ain't open source and > > BSD licenses > > great?) > > -- > > Thank you for the info. I guess it's OK that I forward > this info to the maintainer of the above mentioned > FAQ. > > regards > Claus > > > Har du problemer med din hjemmecomputer? F=E5 hj=E6lp med Yahoo!s PC-supp= ort p=E5 > http://dk.shopping.yahoo.com/pcsupport/index.html OTOH if you only need ipnat and not ipfilter you can do this... Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the ip= fw rules. I use this to "fix-up" packet source addreses. e.g. (warning from memory) map rl0 from /32 to any port 25 -> /32 So outgoing email traffic appears to come from the alias IP. [Don't ask, you don't want to know]. =2D-=20 ian j hart Quoth the raven, bite me! Salem Saberhagen (Episode LXXXI: The Phantom Menace) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message