Hash: SHA256

Am Thu, 29 Sep 2016 21:02:16 +0200
"O. Hartmann" <ohart...@zedat.fu-berlin.de> schrieb:

> Hash: SHA256
> Since a couple of months now, I use IPFW on several projects. I use IPFW 
> again after a
> long term hiatus since ~ 2003. Before I used pf. The reasons are mannyfold 
> and one
> reason is very dogmatic - it is the FreeBSD's native firewall and several 
> performance
> diagrams shown in the net tells me a significant performance benefit in case 
> being
> setup optimal over pf. pf in FreeBSD lacks behind the OpenBSD's development.
> Since last year I try to setup IPFW only on all of our systems. So I do also 
> at home
> and at some places, where we have to use NAT via PPPoE/modem. And here the 
> struggle
> begins. While most setups of a firewall on a router/gateway with several NICs 
> directly
> attached to the internet with on interface, the outbound interface, the same 
> starts to
> be a horrible story when it comes to NAT.
> The handbook offers some simple examples, but in most cases, I see the 
> supposed to be
> outdated external natd daemon still in favour over in-kernel NAT! This is 
> also the
> case with the manpage for ipfw(8). I miss a more recent example of setting up 
> NAT with
> in-kernel NAT and the caveats of one-pass and none-one-pass and some hints 
> how the IP
> packet's header gets rewritten when being translated by NAT and reinjected 
> into the
> pipeline. For me, as a non-source-code-expert-and-simple-system's 
> administrator, it is
> sometimes hard to understand how IPFW works. And the problems reported do 
> tell me that
> I'm not alone.
> The handbook has some examples. One of them contains a traversal of 37/TCP, 
> timeserver.
> It is a long time since I saw this kind of setup, most time synchronisation 
> methods use
> NTP and 123/UDP. The example also seems a bit outdated.
> Manpage firewall(7) lacks also of an modern in-kernel NAT example - it still 
> referes to
> the natd. Also, there is a kind of anti-spoof rule shown that leaves the 
> impression that
> this page is quite antique. Doesn't IPFW has a antispoof rule, or even 
> "verrepath" as
> the manpage ipfw(8) states?
> Somehow I miss some more detailed explanations what happens with check-state, 
> since this
> causes much trouble, even in combination with NAT.
> Well, as said, I'm no expert, maybe I'm simply too blunt to understand, but 
> again, it
> seems I'm not alone. People switched to pf and even Apple moved from ipfw to 
> pf. That
> leaves the question here: what is the status of the development of IPFW in 
> FreeBSD? is
> it maintained-only or is there development going on? Are there plans for 
> refurbished,
> more up to time man pages and examples?
> Thanks in advance and for your patience reading my bad English.
> Oliver


Looking at firewall(7) and trying to simply fowllow the example, one will 
discover that

     add 01500 deny all from not in via fxp1
     add 01500 deny all from not in via fxp2
     add 01501 deny all from in via fxp0
     add 01501 deny all from in via fxp0

will produce a "missing to" error in recent IPFW (it is the case in my 
installation of
CURRENT, hope it does not differ from yours)
Version: GnuPG v2

freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to