pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"

jeremie le-hen le-hen_j at epita.fr
Thu Jul 31 01:21:12 PDT 2003 

> > You are complicating things by running both ipfw and ipf.
> > can you not do just one of them?
> 
> I'm not sure.  The literature I've read so far says neither firewall
> does traffic shaping AND supports active FTP in a deny-by-default
> setting.  If google's to be believed, the generally accepted solution is
> to use ipfw2 for DUMMYNET and ipf/ipfnat for firewalling and active FTP
> proxying.

That's exactly what I use on my personal DSL gateway, and it just works fine.
I use the IPFilter framework for firewalling and NAT, since I found it quite
simple and efficient. Furthermore NAT is done in kernel, reducing context
swiches overhead, and it is also supposed to be an application-layer firewall
for FTP, altough I've never succeeded in making it work (probably due to lack
of documentation, it is still considered as an experimental feature).
And, ping works, I even forward it :-) !

I use ipfw(8) for fine grained firewalling (things I can't unfortunately do
with IPFilter, such as filtering on TCP options), and, in conjunction with
dummynet(4), traffic shapping. The latter is indeed very simple to employ and
there is no context switches overhead since everything is done in kernel.
I know it is possible to use ALTQ with IPFilter for a more precise traffic
shapping, but I've never found any documentation on it (I would be grateful
if someone could point me to).

> The combination served me well when I was using ppp(8) to drive a serial
> modem.  Now that I've switched to ADSL and PPPoE, things seem subtly
> broken.  I blame the user (myself), but I haven't found a solution after
> beating on the problem for several days.

Could you show us your ipf(8), ipnat(8) and ipfw(8) configuration files ?
Foolish note: You can see echo requets leaving your box, and even echo replies
comine back; for me, it smells you forgot to use the "keep state" statement
in the rule which allows outgoing echo requests. But maybe I am missing
something.

Regards,
-- 
Jeremie aka TtZ/TataZ
jeremie.le-hen at epita.fr

More information about the freebsd-net mailing list