Date: Wed, 21 Jun 2023 15:36:53 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Message-ID: <bug-272094-16861-6yB7paKqVF@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272094-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-272094-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 --- Comment #5 from Gleb Smirnoff <glebius@FreeBSD.org> --- (In reply to Alfa from comment #3) > Sorry to bother but i am confused about PFILCTL tool, to make it clear Wh= at is this tool's main purpose? To change how firewalls are hooked into the network stack. Sorry for obvious answer :) A more practical answer: - Somebody may want to filter only on input, skipping any filtering on outp= ut. - There are some drivers that provide a NIC level hook. This allows to unho= ok firewalls from default path and hook them on the NIC only. First, these NIC level hooks allow to drop packets at a much lower cost. Second, you can bui= ld your firewall based on interfaces, very much like Cisco or Juniper do. - Although running a stack of firewalls (pf, ipfw, ipfilter) is not somethi= ng that is supported or recommended, some people do that and some configuratio= ns (apparently without route-to) work excellent. pfilctl allows to reconfigure= the stack. P.S. We probably should enable interface level hooks in general, for those drivers that don't support NIC level hooks. That won't provide a packet drop performance gain, but will allow to design router-style firewall with any N= ICs. --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272094-16861-6yB7paKqVF>