Date: Fri, 31 Jan 2003 17:19:21 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: ian j hart <ianjhart@ntlworld.com> Cc: Claus Guttesen <cguttesen@yahoo.dk>, stable@FreeBSD.ORG Subject: Re: IPF & IPFW Message-ID: <20030201011921.GE30498@blossom.cjclark.org> In-Reply-To: <200301312317.10130.ianjhart@ntlworld.com> References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> <200301312317.10130.ianjhart@ntlworld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 31, 2003 at 11:17:10PM +0000, ian j hart wrote: > On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: > > Hi. > > > > > Guttesen wrote: > > > > You may wish to read > > > > http://home.earthlink.net/~jaymzh666/ipf/IPFfreebsd.html#14. > > > > > > This explains in what order ipf and ipfw is > > > > > > loaded. > > > > > > > If you want to let ipfw to process the ip-packet > > > > first, you can remove ipfilter from the kernel and > > > > load it as a module instead. This should solve > > > > > > your > > > > > > > problem. > > > > > > Nuh-uh. The hooks for ipf(8) and ipfw(8) always are > > > in the same place > > > in ip_input.c and ip_output.c. The order of loading > > > modules has no > > > impact. > > > > > > To the original poster, there is nothing you can do > > > short of hacking > > > ip_input.c and ip_output.c to fit your designs. But > > > you are perfectly > > > free to do it if you'd like. (Ain't open source and > > > BSD licenses > > > great?) > > > -- > > > > Thank you for the info. I guess it's OK that I forward > > this info to the maintainer of the above mentioned > > FAQ. > > > > regards > > Claus > > > > > > Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support p? > > http://dk.shopping.yahoo.com/pcsupport/index.html > > OTOH if you only need ipnat and not ipfilter you can do this... > > Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the ipfw rules. > > I use this to "fix-up" packet source addreses. > > e.g. (warning from memory) > map rl0 from <my-ip>/32 to any port 25 -> <alias-ip>/32 > > So outgoing email traffic appears to come from the alias IP. > [Don't ask, you don't want to know]. ipf(8) and ipnat(8) are the userland commands to interface with the same code in the kernel. You can't separate them. If you define IPFILTER in your kernel configuration, you get both, even if you only use one. If you load ipf.ko, you get both, even if you use only one. ipnat(8) occurs before ipfw(8) for incoming and after ipfw(8) for outgoing whether or not you are using ipf(8) rules. Packets get passed to "IPFilter-in-the-kernel" (the kernel code that both ipf(8) and ipnat(8) talk to) one place in ip_input.c and once in ip_output.c. The only way to change that is modify the code in those two. (Well, you might be able do do something with tunnels to get the effects, but it's still true for each step of the tunnel(s).) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030201011921.GE30498>