From owner-freebsd-net@FreeBSD.ORG Thu Jul 31 01:21:12 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81D7237B401 for ; Thu, 31 Jul 2003 01:21:12 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABF1143FA3 for ; Thu, 31 Jul 2003 01:21:10 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h6V8L4208166 Thu, 31 Jul 2003 10:21:04 +0200 (CEST) Date: Thu, 31 Jul 2003 10:21:03 +0200 From: jeremie le-hen To: Rocco Caputo Message-ID: <20030731082103.GA17861@carpediem.epita.fr> References: <20030730191530.GD36116@eyrie.homenet> <20030730213229.GA37634@eyrie.homenet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030730213229.GA37634@eyrie.homenet> User-Agent: Mutt/1.4i cc: freebsd-net@freebsd.org Subject: Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 08:21:12 -0000 > > You are complicating things by running both ipfw and ipf. > > can you not do just one of them? > > I'm not sure. The literature I've read so far says neither firewall > does traffic shaping AND supports active FTP in a deny-by-default > setting. If google's to be believed, the generally accepted solution is > to use ipfw2 for DUMMYNET and ipf/ipfnat for firewalling and active FTP > proxying. That's exactly what I use on my personal DSL gateway, and it just works fine. I use the IPFilter framework for firewalling and NAT, since I found it quite simple and efficient. Furthermore NAT is done in kernel, reducing context swiches overhead, and it is also supposed to be an application-layer firewall for FTP, altough I've never succeeded in making it work (probably due to lack of documentation, it is still considered as an experimental feature). And, ping works, I even forward it :-) ! I use ipfw(8) for fine grained firewalling (things I can't unfortunately do with IPFilter, such as filtering on TCP options), and, in conjunction with dummynet(4), traffic shapping. The latter is indeed very simple to employ and there is no context switches overhead since everything is done in kernel. I know it is possible to use ALTQ with IPFilter for a more precise traffic shapping, but I've never found any documentation on it (I would be grateful if someone could point me to). > The combination served me well when I was using ppp(8) to drive a serial > modem. Now that I've switched to ADSL and PPPoE, things seem subtly > broken. I blame the user (myself), but I haven't found a solution after > beating on the problem for several days. Could you show us your ipf(8), ipnat(8) and ipfw(8) configuration files ? Foolish note: You can see echo requets leaving your box, and even echo replies comine back; for me, it smells you forgot to use the "keep state" statement in the rule which allows outgoing echo requests. But maybe I am missing something. Regards, -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr