Re: [pfSense Support] Question about pf and ipfw...
On 10/15/05, Bill Marquette [EMAIL PROTECTED] wrote: Not sure I follow with the redirection part.But if I understandcorrectly, yes we can use both ipfw and pf in conjunction fordifferent tasks.This is how our shaper code used to work - define the queues in PF and assign the traffic in IPFW.Our ultimate goal isto get IPFW out of the core system altogether and we had done thatuntil we found some nasty bugs in CP due to it (just stuff that'lltake a little longer to work around). Thank you for your reply. I am trying to run p3scan on pfsense, but it needs a redirection done with ipfw... When I am trying to add the rule, I have the following error: # ipfw add fwd 127.0.0.1:8110 tcp from 10.0.0.0/24 to any 110 ipfw: getsockopt(IP_FW_ADD): Invalid argument When I am loading ipfw module, I see the following in dmesg: ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled Does this mean that I cannot do forwarding with this ipfw? TIA Tom
Re: [pfSense Support] Question about pf and ipfw...
On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: On 10/15/05, Bill Marquette [EMAIL PROTECTED] wrote: Not sure I follow with the redirection part. But if I understand correctly, yes we can use both ipfw and pf in conjunction for different tasks. This is how our shaper code used to work - define the queues in PF and assign the traffic in IPFW. Our ultimate goal is to get IPFW out of the core system altogether and we had done that until we found some nasty bugs in CP due to it (just stuff that'll take a little longer to work around). Thank you for your reply. I am trying to run p3scan on pfsense, but it needs a redirection done with ipfw... When I am trying to add the rule, I have the following error: # ipfw add fwd 127.0.0.1:8110 tcp from 10.0.0.0/24 to any 110 ipfw: getsockopt(IP_FW_ADD): Invalid argument When I am loading ipfw module, I see the following in dmesg: ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled Does this mean that I cannot do forwarding with this ipfw? Module probably isn't loaded (it's only loaded if CP is in use I believe). Any reason you wouldn't just create a port forward for this? Seems like what you want to do is forward any traffic from 10.0.0.0/24 destined to port 110 anywhere to localhost on port 8110 (transparent pop3 server? interesting). This can be done easily in our GUI, just use a port forward (it was renamed from Inbound NAT to try and remind people it can be used in either direction). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
You are very kind, in responding so fast!! Module probably isn't loaded (it's only loaded if CP is in use Ibelieve). Mmmh, I think it is (I loaded it by hand with kldload ipfw.ko): # kldstat Id Refs Address Size Name 1 4 0xc040 68cca0 kernel 2 16 0xc0a8d000 55fdc acpi.ko 3 1 0xc25e2000 c000 ipfw.ko But I am not a FBSD guru, so I may be wrong.. Do I have to load some other module? Any reason you wouldn't just create a port forward forthis?Seems like what you want to do is forward any traffic from 10.0.0.0/24 destined to port 110 anywhere to localhost on port 8110(transparent pop3 server? interesting).This can be done easily inour GUI, just use a port forward (it was renamed from Inbound NAT to try and remind people it can be used in either direction). Good question.. You are right, I already tryed it but it does not work with p3scan. P3scan acts as a transparent pop3 proxy, but seems to recognize the real server IP only if I use ipfw redirection (this is what I understood from p3scan mailing list). I already tried with pf, but seems not to work.. Any idea?
Re: [pfSense Support] Question about pf and ipfw...
On 10/16/05, Bill Marquette [EMAIL PROTECTED] wrote: Got it, now I understand the problem (makes sense, I was wondering howit did transparent proxy w/out access to the destination IP:) ).Sobasically, it does a state lookup on the socket connected to it and figures out what the original IP was based on that. Exaclty.. It is marvellous to work with you.. All you guys are so fast in understanding.. Any idea?Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this.BTW, if there's a finite number of pop3 servers you need to access andyou know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scaninstances.Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. Tom
Re: [pfSense Support] Question about pf and ipfw...
Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this.BTW, if there's a finite number of pop3 servers you need to access andyou know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scaninstances.Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much.
Re: [pfSense Support] Question about pf and ipfw...
Reinstall from scratch on the latest version. Your IPFW module is wrong. It should say rule based forwarding enabled. On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this. BTW, if there's a finite number of pop3 servers you need to access and you know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scan instances. Not elegant, but it might work in a crunch. Exactly what I did.. at least for few providers.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
Thank you very very much!! ( I forgot to mention I am developing on version 0.84...) Thanx again!On 10/16/05, Scott Ullrich [EMAIL PROTECTED] wrote: Reinstall from scratch on the latest version. Your IPFW module iswrong. It should say rule based forwarding enabled.On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: Just a question.. I would like to ask one more thing: rule-based forwarding disabled in dmesg (ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled) means that pfsense kernel is compiled without this option (IP-FIREWALL_FORWARD)? Maybe Scott will have an idea why IPFW isn't loading your ruleset. Other than that, waiting for the p3scan developers to fix this. BTW, if there's a finite number of pop3 servers you need to access and you know what they are, you can run multiple instances of p3scan, one for each server and redirect the individual servers to specific p3scan instances.Not elegant, but it might work in a crunch.Exactly what I did.. at least for fewproviders.. but it is a very very ugly solution: I am in touch with p3scan guys, but in the meanwhile I would like to fix the problem using ipfw.. I hope Scott could help me in this problem.. Thank you again, very very much. -To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Question about pf and ipfw...
Hi! I recently read a post about captive portal, and the related use of ipfw. If I understood well, it is possible to use at the same time pf and ipfw. Is it true? I mean, can I use ipfw for doing a particular king of traffic redirection, even there is another redirection done with pf (of course, not for the same traffic!! i.e. pf for ftp, ipfw for www)?? TIA Tom