-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am Thu, 29 Sep 2016 21:02:16 +0200 "O. Hartmann" <ohart...@zedat.fu-berlin.de> schrieb:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Since a couple of months now, I use IPFW on several projects. I use IPFW > again after a > long term hiatus since ~ 2003. Before I used pf. The reasons are mannyfold > and one > reason is very dogmatic - it is the FreeBSD's native firewall and several > performance > diagrams shown in the net tells me a significant performance benefit in case > being > setup optimal over pf. pf in FreeBSD lacks behind the OpenBSD's development. > > Since last year I try to setup IPFW only on all of our systems. So I do also > at home > and at some places, where we have to use NAT via PPPoE/modem. And here the > struggle > begins. While most setups of a firewall on a router/gateway with several NICs > directly > attached to the internet with on interface, the outbound interface, the same > starts to > be a horrible story when it comes to NAT. > > The handbook offers some simple examples, but in most cases, I see the > supposed to be > outdated external natd daemon still in favour over in-kernel NAT! This is > also the > case with the manpage for ipfw(8). I miss a more recent example of setting up > NAT with > in-kernel NAT and the caveats of one-pass and none-one-pass and some hints > how the IP > packet's header gets rewritten when being translated by NAT and reinjected > into the > pipeline. For me, as a non-source-code-expert-and-simple-system's > administrator, it is > sometimes hard to understand how IPFW works. And the problems reported do > tell me that > I'm not alone. > > The handbook has some examples. One of them contains a traversal of 37/TCP, > timeserver. > It is a long time since I saw this kind of setup, most time synchronisation > methods use > NTP and 123/UDP. The example also seems a bit outdated. > > Manpage firewall(7) lacks also of an modern in-kernel NAT example - it still > referes to > the natd. Also, there is a kind of anti-spoof rule shown that leaves the > impression that > this page is quite antique. Doesn't IPFW has a antispoof rule, or even > "verrepath" as > the manpage ipfw(8) states? > > Somehow I miss some more detailed explanations what happens with check-state, > since this > causes much trouble, even in combination with NAT. > > Well, as said, I'm no expert, maybe I'm simply too blunt to understand, but > again, it > seems I'm not alone. People switched to pf and even Apple moved from ipfw to > pf. That > leaves the question here: what is the status of the development of IPFW in > FreeBSD? is > it maintained-only or is there development going on? Are there plans for > refurbished, > more up to time man pages and examples? > > Thanks in advance and for your patience reading my bad English. > > Oliver [...] Looking at firewall(7) and trying to simply fowllow the example, one will discover that rules add 01500 deny all from not 10.0.1.0/24 in via fxp1 add 01500 deny all from not 10.0.2.0/24 in via fxp2 add 01501 deny all from 10.0.1.0/24 in via fxp0 add 01501 deny all from 10.0.2.0/24 in via fxp0 will produce a "missing to" error in recent IPFW (it is the case in my installation of CURRENT, hope it does not differ from yours) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX7pyyAAoJEOgBcD7A/5N8I44IAK10SPfEeSH+JGGOBeExMLUt HSP6lZHtzvprl6t2HaJzqOhl/Xu2jAKbBBjcdLcCZ5kP6qGsKvR1fySuz/0l42dO rtnQMqwuuDEIsvA8LScTkPkDK7VtCUpD8xJEQ4jnCfhtk4qoGAZAV9+JlNdr3l1d LNee2rAi9jhO5JcI3JRLLQIIOla+YMQKcMOwzLHGYfxuTFbp2qyQNSQpIFc3HilH tX3owVeJw9yNmTrC3VYOt1NwdknrolEHOG3KeWdpEtNu7UA+31dkcom+qy1JTpuN /KvkOGykVaPoUEO2CYjO2cFBB7bm3rk8UXoEr4doCVex05dl97ElP0W168dC1fk= =BSxQ -----END PGP SIGNATURE----- _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"