-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Am Thu, 29 Sep 2016 21:02:16 +0200
"O. Hartmann" <ohart...@zedat.fu-berlin.de> schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> Since a couple of months now, I use IPFW on several projects. I use IPFW
> again after a
> long term hiatus since ~ 2003. Before I used pf. The reasons are mannyfold
> and one
> reason is very dogmatic - it is the FreeBSD's native firewall and several
> performance
> diagrams shown in the net tells me a significant performance benefit in case
> being
> setup optimal over pf. pf in FreeBSD lacks behind the OpenBSD's development.
>
> Since last year I try to setup IPFW only on all of our systems. So I do also
> at home
> and at some places, where we have to use NAT via PPPoE/modem. And here the
> struggle
> begins. While most setups of a firewall on a router/gateway with several NICs
> directly
> attached to the internet with on interface, the outbound interface, the same
> starts to
> be a horrible story when it comes to NAT.
>
> The handbook offers some simple examples, but in most cases, I see the
> supposed to be
> outdated external natd daemon still in favour over in-kernel NAT! This is
> also the
> case with the manpage for ipfw(8). I miss a more recent example of setting up
> NAT with
> in-kernel NAT and the caveats of one-pass and none-one-pass and some hints
> how the IP
> packet's header gets rewritten when being translated by NAT and reinjected
> into the
> pipeline. For me, as a non-source-code-expert-and-simple-system's
> administrator, it is
> sometimes hard to understand how IPFW works. And the problems reported do
> tell me that
> I'm not alone.
>
> The handbook has some examples. One of them contains a traversal of 37/TCP,
> timeserver.
> It is a long time since I saw this kind of setup, most time synchronisation
> methods use
> NTP and 123/UDP. The example also seems a bit outdated.
>
> Manpage firewall(7) lacks also of an modern in-kernel NAT example - it still
> referes to
> the natd. Also, there is a kind of anti-spoof rule shown that leaves the
> impression that
> this page is quite antique. Doesn't IPFW has a antispoof rule, or even
> "verrepath" as
> the manpage ipfw(8) states?
>
> Somehow I miss some more detailed explanations what happens with check-state,
> since this
> causes much trouble, even in combination with NAT.
>
> Well, as said, I'm no expert, maybe I'm simply too blunt to understand, but
> again, it
> seems I'm not alone. People switched to pf and even Apple moved from ipfw to
> pf. That
> leaves the question here: what is the status of the development of IPFW in
> FreeBSD? is
> it maintained-only or is there development going on? Are there plans for
> refurbished,
> more up to time man pages and examples?
>
> Thanks in advance and for your patience reading my bad English.
>
> Oliver
[...]
Looking at firewall(7) and trying to simply fowllow the example, one will
discover that
rules
add 01500 deny all from not 10.0.1.0/24 in via fxp1
add 01500 deny all from not 10.0.2.0/24 in via fxp2
add 01501 deny all from 10.0.1.0/24 in via fxp0
add 01501 deny all from 10.0.2.0/24 in via fxp0
will produce a "missing to" error in recent IPFW (it is the case in my
installation of
CURRENT, hope it does not differ from yours)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJX7pyyAAoJEOgBcD7A/5N8I44IAK10SPfEeSH+JGGOBeExMLUt
HSP6lZHtzvprl6t2HaJzqOhl/Xu2jAKbBBjcdLcCZ5kP6qGsKvR1fySuz/0l42dO
rtnQMqwuuDEIsvA8LScTkPkDK7VtCUpD8xJEQ4jnCfhtk4qoGAZAV9+JlNdr3l1d
LNee2rAi9jhO5JcI3JRLLQIIOla+YMQKcMOwzLHGYfxuTFbp2qyQNSQpIFc3HilH
tX3owVeJw9yNmTrC3VYOt1NwdknrolEHOG3KeWdpEtNu7UA+31dkcom+qy1JTpuN
/KvkOGykVaPoUEO2CYjO2cFBB7bm3rk8UXoEr4doCVex05dl97ElP0W168dC1fk=
=BSxQ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
