Date: Sun, 21 Dec 2003 06:26:55 -0800 From: hugle <hugle@vkt.lt> To: fbsd_user <fbsd_user@a1poweruser.com>, freebsd-questions@freebsd.org Subject: Re[2]: ipfw forward alternative in IPF ? Message-ID: <6075224587.20031221062655@vkt.lt> In-Reply-To: <MIEPLLIBMLEEABPDBIEGEEFMFBAA.fbsd_user@a1poweruser.com> References: <19966095930.20031221035447@vkt.lt> <MIEPLLIBMLEEABPDBIEGEEFMFBAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
f> Sure ipnat and IPFW can and do play together very well. I had f> problems with IPFW keep-state rules and IPFW/NATD. The Natd function f> is a subroutine launched by the divert rule. I removed the divert f> rule and turned off IPFW_nat in rc.conf and added ipfilter-ipnat to f> rc.conf. IPFILTER defaults to pass all traffic so by just using f> ipnat all the Nating gets done outside of IPFW. f> IPNAT does have forward rules. so ipnat `rdr` does the same ash ipfw's `fwd`? am I right? i had smth like: ipfw add 501 fwd x.141 ip from x.142 to any ipfw add 502 fwd z.161 ip from z.162 to any ipfw add 503 fwd y.1 ip from y.59 to any fo ipant rules would look like: rdr vlan0 from x.142 to 0.0.0.0/0 -> x.141 rdr fxp0 from y.162 to 0.0.0.0/0 -> y.161 rdr rl1 from z.59 to 0.0.0.0/0 -> z.1 But why then ipfw has forward rule and natd redirect function? but ipf has no forward/redirect and ipnat does have redirect. So ipnat can ahndle both forward and redirect? Am i right? The whitng is interesting.. that tried to turn on nat with ipnat and leave only fwd ruels in ipfw, but seemed tot to wrok (can't understatnd why) f> After an while I converted all my IPFW rules to f> IPFILTER and got rid of IPFW all together. I never compile IPFW or f> IPFILTER into the kernel, just let FBSD load the binary modules at f> boot time. what is the easiest way to upgrade ipfiler after cvsup'int (sure if it had eben updated) just make clean, make and make install ? and unload/load the module? f> I found IPFILTER to be easier to use and configure using f> the 'quick' option. The only reason to use IPFW is if you use f> dummynet for bandwidth control. I know the FBSD handbook misleads f> the reader into believing IPFW is the best firewall but that is f> because IPFW is an internal FBSD development project. actualy ipfw's rules seems easier to read that ipf ones. anyways ipfws pipe's rule;) f> http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1 thx for the link Thanks for your time, hugle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6075224587.20031221062655>