From owner-freebsd-questions@FreeBSD.ORG Sun Dec 21 06:27:27 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4023D16A4CE for ; Sun, 21 Dec 2003 06:27:27 -0800 (PST) Received: from tequila.4you.lt (tequila.4you.lt [212.122.68.216]) by mx1.FreeBSD.org (Postfix) with SMTP id 7942E43D53 for ; Sun, 21 Dec 2003 06:27:22 -0800 (PST) (envelope-from hugle@vkt.lt) Received: (qmail 19772 invoked by uid 0); 21 Dec 2003 14:23:30 -0000 Received: from hugle@vkt.lt by tequila by uid 82 with qmail-scanner-1.20rc1 (. Clear:RC:1:. Processed in 0.424848 secs); 21 Dec 2003 14:23:30 -0000 Received: from unknown (HELO 127.0.0.1) (213.252.192.162) by tequila.4you.lt with SMTP; 21 Dec 2003 14:23:29 -0000 Date: Sun, 21 Dec 2003 06:26:55 -0800 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <6075224587.20031221062655@vkt.lt> To: fbsd_user , freebsd-questions@freebsd.org In-Reply-To: References: <19966095930.20031221035447@vkt.lt> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: ipfw forward alternative in IPF ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2003 14:27:27 -0000 f> Sure ipnat and IPFW can and do play together very well. I had f> problems with IPFW keep-state rules and IPFW/NATD. The Natd function f> is a subroutine launched by the divert rule. I removed the divert f> rule and turned off IPFW_nat in rc.conf and added ipfilter-ipnat to f> rc.conf. IPFILTER defaults to pass all traffic so by just using f> ipnat all the Nating gets done outside of IPFW. f> IPNAT does have forward rules. so ipnat `rdr` does the same ash ipfw's `fwd`? am I right? i had smth like: ipfw add 501 fwd x.141 ip from x.142 to any ipfw add 502 fwd z.161 ip from z.162 to any ipfw add 503 fwd y.1 ip from y.59 to any fo ipant rules would look like: rdr vlan0 from x.142 to 0.0.0.0/0 -> x.141 rdr fxp0 from y.162 to 0.0.0.0/0 -> y.161 rdr rl1 from z.59 to 0.0.0.0/0 -> z.1 But why then ipfw has forward rule and natd redirect function? but ipf has no forward/redirect and ipnat does have redirect. So ipnat can ahndle both forward and redirect? Am i right? The whitng is interesting.. that tried to turn on nat with ipnat and leave only fwd ruels in ipfw, but seemed tot to wrok (can't understatnd why) f> After an while I converted all my IPFW rules to f> IPFILTER and got rid of IPFW all together. I never compile IPFW or f> IPFILTER into the kernel, just let FBSD load the binary modules at f> boot time. what is the easiest way to upgrade ipfiler after cvsup'int (sure if it had eben updated) just make clean, make and make install ? and unload/load the module? f> I found IPFILTER to be easier to use and configure using f> the 'quick' option. The only reason to use IPFW is if you use f> dummynet for bandwidth control. I know the FBSD handbook misleads f> the reader into believing IPFW is the best firewall but that is f> because IPFW is an internal FBSD development project. actualy ipfw's rules seems easier to read that ipf ones. anyways ipfws pipe's rule;) f> http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1 thx for the link Thanks for your time, hugle