-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am Thu, 29 Sep 2016 21:02:16 +0200 "O. Hartmann" <ohartman_at_zedat.fu-berlin.de> schrieb: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Since a couple of months now, I use IPFW on several projects. I use IPFW again after a > long term hiatus since ~ 2003. Before I used pf. The reasons are mannyfold and one > reason is very dogmatic - it is the FreeBSD's native firewall and several performance > diagrams shown in the net tells me a significant performance benefit in case being > setup optimal over pf. pf in FreeBSD lacks behind the OpenBSD's development. > > Since last year I try to setup IPFW only on all of our systems. So I do also at home > and at some places, where we have to use NAT via PPPoE/modem. And here the struggle > begins. While most setups of a firewall on a router/gateway with several NICs directly > attached to the internet with on interface, the outbound interface, the same starts to > be a horrible story when it comes to NAT. > > The handbook offers some simple examples, but in most cases, I see the supposed to be > outdated external natd daemon still in favour over in-kernel NAT! This is also the > case with the manpage for ipfw(8). I miss a more recent example of setting up NAT with > in-kernel NAT and the caveats of one-pass and none-one-pass and some hints how the IP > packet's header gets rewritten when being translated by NAT and reinjected into the > pipeline. For me, as a non-source-code-expert-and-simple-system's administrator, it is > sometimes hard to understand how IPFW works. And the problems reported do tell me that > I'm not alone. > > The handbook has some examples. One of them contains a traversal of 37/TCP, timeserver. > It is a long time since I saw this kind of setup, most time synchronisation methods use > NTP and 123/UDP. The example also seems a bit outdated. > > Manpage firewall(7) lacks also of an modern in-kernel NAT example - it still referes to > the natd. Also, there is a kind of anti-spoof rule shown that leaves the impression that > this page is quite antique. Doesn't IPFW has a antispoof rule, or even "verrepath" as > the manpage ipfw(8) states? > > Somehow I miss some more detailed explanations what happens with check-state, since this > causes much trouble, even in combination with NAT. > > Well, as said, I'm no expert, maybe I'm simply too blunt to understand, but again, it > seems I'm not alone. People switched to pf and even Apple moved from ipfw to pf. That > leaves the question here: what is the status of the development of IPFW in FreeBSD? is > it maintained-only or is there development going on? Are there plans for refurbished, > more up to time man pages and examples? > > Thanks in advance and for your patience reading my bad English. > > Oliver [...] Looking at firewall(7) and trying to simply fowllow the example, one will discover that rules add 01500 deny all from not 10.0.1.0/24 in via fxp1 add 01500 deny all from not 10.0.2.0/24 in via fxp2 add 01501 deny all from 10.0.1.0/24 in via fxp0 add 01501 deny all from 10.0.2.0/24 in via fxp0 will produce a "missing to" error in recent IPFW (it is the case in my installation of CURRENT, hope it does not differ from yours) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX7pyyAAoJEOgBcD7A/5N8I44IAK10SPfEeSH+JGGOBeExMLUt HSP6lZHtzvprl6t2HaJzqOhl/Xu2jAKbBBjcdLcCZ5kP6qGsKvR1fySuz/0l42dO rtnQMqwuuDEIsvA8LScTkPkDK7VtCUpD8xJEQ4jnCfhtk4qoGAZAV9+JlNdr3l1d LNee2rAi9jhO5JcI3JRLLQIIOla+YMQKcMOwzLHGYfxuTFbp2qyQNSQpIFc3HilH tX3owVeJw9yNmTrC3VYOt1NwdknrolEHOG3KeWdpEtNu7UA+31dkcom+qy1JTpuN /KvkOGykVaPoUEO2CYjO2cFBB7bm3rk8UXoEr4doCVex05dl97ElP0W168dC1fk= =BSxQ -----END PGP SIGNATURE-----Received on Fri Sep 30 2016 - 15:11:27 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:08 UTC