packet order, ipf or ipfw

Michael DeMan michael at staff.openaccess.org
Thu Jul 29 00:45:45 PDT 2004 

Hi,

We're actually planning to migrate to PF instead of IPF+IPFW to meet 
these needs.

IPFW from what I've gathered over the past few years is the traditional 
FreeBSD way of handling firewalls, nat and bandwidth limiting.

We found IPFW a little complex to use, granted very powerful.

We ended up with needing to deliver and support a good number of 
'machines', and total cost of ownership became important.  Both in 
terms of automated and traditional management of deployments.

Our plan for when 5-STABLE comes out is to migrate to PF directly (yes, 
risk, yes we're a small business) and expect it to perform quite well 
and give us a unified and clearer way in terms of config-files to 
manage firewall, NAT and QoS issues.

I would at least read the OpenBSD docs on PF and check them out.

Darren Reed has done a wonderful job with IPF and the latest code clean 
up is very nice as well, but PF is far superior, at least in regards to 
manageability.

- mike

On Jul 28, 2004, at 4:23 PM, Jeremie Le Hen wrote:

> Hello Charlie,
>
>> I'm running ipf because I like it ...but now I need to use ipfw's pipe
>> feature. I was thinking that I could just run both, and keep all my
>> rules in ipf, then in ipfw: limit bandwidth for a few vlans, then 
>> allow all.
>>
>> It didn't work (no rate-limiting happened).. and I'm thinking that ipf
>> is passing the packets and bypassing ipfw? Or something..
>>
>> So, what is the order, if I'm running ipf AND ipfw at the same time?
>> Will it work at all in this manner?
>
> Max Laier told you about FreeBSD 5.x which includes PFIL_HOOKS, but
> since you did not mention whether you are using -STABLE or -CURRENT.
> AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE,
> and this is of course symmetric for outgoing ones.
>
> But you should be warned that using ipnat(8) in conjunction to ipfw
> pipes may lead to an incorrect behaviour :
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685
>
> Hackers, is this bug still alive in -CURRENT ?
>
> Best regards,
> -- 
> Jeremie LE HEN aka TtZ/TataZ                          
> jeremie.le-hen at epita.fr
>                                                                  
> ttz at epita.fr
> Hi! I'm a .signature virus! Copy me into your ~/.signature to help me 
> spread!
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
Michael F. DeMan
Director of Technology
OpenAccess Network Services
Bellingham, WA 92825
michael at staff.openaccess.org
360-647-0785

More information about the freebsd-net mailing list