Date: Wed, 27 Oct 2004 11:36:49 +0300 (EEST) From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua> To: Alexandre Vieira <nullpt@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Compiling PF and IPFW in the same kernel Message-ID: <20041027083649.6BA201AA@pm514-9.comsys.ntu-kpi.kiev.ua> In-Reply-To: <1098840186.00159164.1098827401@10.7.7.3>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 Oct 2004 22:46:53 +0100 in lucky.freebsd.questions, Alexandre Vieira wrote: > Anyone knows if there is any problem in compiling ipfw and pf in the > same kernel? > Which one will be turned of by default? Or will they both be turned on? > Will the default rule for PF be allow all ? > They both will work. Just test it: let ipfw rules and pf rules to log information about packets they catch and check which of them get a packet first. According to netinet/ip_input.c:ip_input function ip_output.c:ip_output function in 5.2.1 first are called PFIL_HOOKed firewalls, then ipfw is called, in CURRENT it seems that all firewalls will use PFIL_HOOK. In 5.x, see net/pfil.c:pfil_list_add function, last several lines which add firewall hook to the incoming or the outgoing list will explain which of PFIL_HOOKed firewalls will be called first for incoming and outgoing directions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041027083649.6BA201AA>