Compiling PF and IPFW in the same kernel
Andrey Simonenko
simon at comsys.ntu-kpi.kiev.ua
Wed Oct 27 01:37:21 PDT 2004
On Tue, 26 Oct 2004 22:46:53 +0100 in lucky.freebsd.questions, Alexandre Vieira wrote:
> Anyone knows if there is any problem in compiling ipfw and pf in the
> same kernel?
> Which one will be turned of by default? Or will they both be turned on?
> Will the default rule for PF be allow all ?
>
They both will work.
Just test it: let ipfw rules and pf rules to log information about
packets they catch and check which of them get a packet first.
According to netinet/ip_input.c:ip_input function ip_output.c:ip_output
function in 5.2.1 first are called PFIL_HOOKed firewalls, then ipfw is
called, in CURRENT it seems that all firewalls will use PFIL_HOOK.
In 5.x, see net/pfil.c:pfil_list_add function, last several lines
which add firewall hook to the incoming or the outgoing list will
explain which of PFIL_HOOKed firewalls will be called first for
incoming and outgoing directions.
More information about the freebsd-questions
mailing list