Date: Fri, 1 Aug 2014 14:14:36 +0100 From: krad <kraduk@gmail.com> To: Dan Busarow <dan@buildingonline.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? Message-ID: <CALfReydsjStmyeEsJjZMdNokdD%2B=g0gtPg8esKzf40UMnXARag@mail.gmail.com> In-Reply-To: <53DB9017.3000304@buildingonline.com> References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <201407200939020335.0017641F@smtp.24cl.home> <788274E2-7D66-45D9-89F6-81E8C2615D14@lastsummer.de> <201407201230590265.00B479C4@smtp.24cl.home> <20140729103512.GC89995@FreeBSD.org> <53DA304E.6020105@herveybayaustralia.com.au> <20140731134147.GH2402@glebius.int.ru> <CALfReyerXQm6ehhtKXcJ9XD5fr=0LBShtD8EAUjd9p07xcQvjw@mail.gmail.com> <53DB9017.3000304@buildingonline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
that was never the problem, it was always tricky building stateful rulesets with nat. From what i remember it was due to the state stable getting parsed to early ie before the natting rule if your ruleset wasnt 100% puka. It caught quite a few people out who i knew. It was over 12 years ago though so my memory is hazy on it, but as soon as i tried pf i found it much easier, so didn't look back. On 1 August 2014 14:03, Dan Busarow <dan@buildingonline.com> wrote: > > On 8/1/14, 1:39 AM, krad wrote: > >> I always found natting in ipfw rather awkward and harder than in pf. >> Looking at the man page it doesnt seem to have changed. I should probably >> give it another go though as it has been about 10 years now >> > > Couldn't be much easier than the way it works now > > e.g. > > firewall_enable="YES" > firewall_type="OPEN" > natd_enable="YES" > natd_interface="em0" > natd_flags="-s -m -u" > > All of the builtin rulesets know about NAT > > My home network has two internal nets each with it's own wifi AP and the > above handles it. > > natd_interface is your outside facing interface. > > Dan > > > > > >> >> On 31 July 2014 14:41, Gleb Smirnoff <glebius@freebsd.org> wrote: >> >> On Thu, Jul 31, 2014 at 10:02:22PM +1000, Da Rock wrote: >>> D> Without diminishing your efforts so far, what do you think about >>> D> pitching all efforts into IPFW to combine effort and reduce overhead >>> of >>> D> maintaining separate firewalls in the core? Is there an advantage to >>> D> having our own pf? >>> >>> Is there any disadvantage keeping it? It is a plugin. It is optional >>> and loadable. I removed most additions to the network stack that live >>> outside netpfil/pf. >>> >>> Some people like it and use it. >>> >>> It is also the only tool to configure ALTQ now. >>> >>> -- >>> Totus tuus, Glebius. >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >>> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd.org" >> >> _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReydsjStmyeEsJjZMdNokdD%2B=g0gtPg8esKzf40UMnXARag>