Re: packet order, ipf or ipfw

[Michael DeMan]

Hi,
We're actually planning to migrate to PF instead of IPF+IPFW to meet 
these needs.

IPFW from what I've gathered over the past few years is the traditional 
FreeBSD way of handling firewalls, nat and bandwidth limiting.

We found IPFW a little complex to use, granted very powerful.
We ended up with needing to deliver and support a good number of 
'machines', and total cost of ownership became important.  Both in 
terms of automated and traditional management of deployments.

Our plan for when 5-STABLE comes out is to migrate to PF directly (yes, 
risk, yes we're a small business) and expect it to perform quite well 
and give us a unified and clearer way in terms of config-files to 
manage firewall, NAT and QoS issues.

I would at least read the OpenBSD docs on PF and check them out.
Darren Reed has done a wonderful job with IPF and the latest code clean 
up is very nice as well, but PF is far superior, at least in regards to 
manageability.

- mike
On Jul 28, 2004, at 4:23 PM, Jeremie Le Hen wrote:
Hello Charlie,
I'm running ipf because I like it ...but now I need to use ipfw's pipe
feature. I was thinking that I could just run both, and keep all my
rules in ipf, then in ipfw: limit bandwidth for a few vlans, then 
allow all.

It didn't work (no rate-limiting happened).. and I'm thinking that ipf
is passing the packets and bypassing ipfw? Or something..
So, what is the order, if I'm running ipf AND ipfw at the same time?
Will it work at all in this manner?
Max Laier told you about FreeBSD 5.x which includes PFIL_HOOKS, but
since you did not mention whether you are using -STABLE or -CURRENT.
AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE,
and this is of course symmetric for outgoing ones.
But you should be warned that using ipnat(8) in conjunction to ipfw
pipes may lead to an incorrect behaviour :
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685
Hackers, is this bug still alive in -CURRENT ?
Best regards,
--
Jeremie LE HEN aka TtZ/TataZ                          
[EMAIL PROTECTED]
                                                                 
[EMAIL PROTECTED]
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me 
spread!
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Michael F. DeMan
Director of Technology
OpenAccess Network Services
Bellingham, WA 92825
[EMAIL PROTECTED]
360-647-0785
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"