[Bug 272094] pfilctl IPFW hook order not works with PF route-to
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Jun 2023 15:36:53 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272094 --- Comment #5 from Gleb Smirnoff <glebius@FreeBSD.org> --- (In reply to Alfa from comment #3) > Sorry to bother but i am confused about PFILCTL tool, to make it clear What is this tool's main purpose? To change how firewalls are hooked into the network stack. Sorry for obvious answer :) A more practical answer: - Somebody may want to filter only on input, skipping any filtering on output. - There are some drivers that provide a NIC level hook. This allows to unhook firewalls from default path and hook them on the NIC only. First, these NIC level hooks allow to drop packets at a much lower cost. Second, you can build your firewall based on interfaces, very much like Cisco or Juniper do. - Although running a stack of firewalls (pf, ipfw, ipfilter) is not something that is supported or recommended, some people do that and some configurations (apparently without route-to) work excellent. pfilctl allows to reconfigure the stack. P.S. We probably should enable interface level hooks in general, for those drivers that don't support NIC level hooks. That won't provide a packet drop performance gain, but will allow to design router-style firewall with any NICs. -- You are receiving this mail because: You are the assignee for the bug.