-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Since a couple of months now, I use IPFW on several projects. I use IPFW again after a long term hiatus since ~ 2003. Before I used pf. The reasons are mannyfold and one reason is very dogmatic - it is the FreeBSD's native firewall and several performance diagrams shown in the net tells me a significant performance benefit in case being setup optimal over pf. pf in FreeBSD lacks behind the OpenBSD's development. Since last year I try to setup IPFW only on all of our systems. So I do also at home and at some places, where we have to use NAT via PPPoE/modem. And here the struggle begins. While most setups of a firewall on a router/gateway with several NICs directly attached to the internet with on interface, the outbound interface, the same starts to be a horrible story when it comes to NAT. The handbook offers some simple examples, but in most cases, I see the supposed to be outdated external natd daemon still in favour over in-kernel NAT! This is also the case with the manpage for ipfw(8). I miss a more recent example of setting up NAT with in-kernel NAT and the caveats of one-pass and none-one-pass and some hints how the IP packet's header gets rewritten when being translated by NAT and reinjected into the pipeline. For me, as a non-source-code-expert-and-simple-system's administrator, it is sometimes hard to understand how IPFW works. And the problems reported do tell me that I'm not alone. The handbook has some examples. One of them contains a traversal of 37/TCP, timeserver. It is a long time since I saw this kind of setup, most time synchronisation methods use NTP and 123/UDP. The example also seems a bit outdated. Manpage firewall(7) lacks also of an modern in-kernel NAT example - it still referes to the natd. Also, there is a kind of anti-spoof rule shown that leaves the impression that this page is quite antique. Doesn't IPFW has a antispoof rule, or even "verrepath" as the manpage ipfw(8) states? Somehow I miss some more detailed explanations what happens with check-state, since this causes much trouble, even in combination with NAT. Well, as said, I'm no expert, maybe I'm simply too blunt to understand, but again, it seems I'm not alone. People switched to pf and even Apple moved from ipfw to pf. That leaves the question here: what is the status of the development of IPFW in FreeBSD? is it maintained-only or is there development going on? Are there plans for refurbished, more up to time man pages and examples? Thanks in advance and for your patience reading my bad English. Oliver -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX7WU5AAoJEOgBcD7A/5N8PU4IAMIVv63BPQ5ljEV7lRZOzFez LPLtPaUfWGzzk7mptAiaQ25s7FWbSIPZJMhSwOM166A2xMyTnJ47torYszwMAELn Vt2hXVWcR70Zj/1QGpEMWsMmPVBmtyhOis5KZv/Sd29mgMEUMsOHjTcwcTCn2yyV hIJ6c6MpGH6/c2srZEwDUSRutEiiUuwvpHSyZ8R4fAJqexuJBJa8X1co758Etmxk ct4Om9/bRy/ubzu1EZSq5vc7XG7Yz/VEhP2HV7BEPW51dWm0n079sVsi/wn683uc djIA8y504TKG8S6cKSHp8xFjHBvsFW2K1FTD4cDPG69jgTXpI9JlE5sTgEfFn90= =Kml1 -----END PGP SIGNATURE----- _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
