From owner-freebsd-stable Fri Jan 31 18:25: 5 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17AD437B401 for ; Fri, 31 Jan 2003 18:25:03 -0800 (PST) Received: from pc3-cove2-3-cust146.brhm.cable.ntl.com (pc3-cove2-3-cust146.brhm.cable.ntl.com [80.4.75.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 924C343F3F for ; Fri, 31 Jan 2003 18:25:01 -0800 (PST) (envelope-from ianjhart@ntlworld.com) Received: from alpha.private.lan (alpha.private.lan [192.168.0.2]) by pc3-cove2-3-cust146.brhm.cable.ntl.com (8.12.6/8.12.6) with ESMTP id h112OwuU021739; Sat, 1 Feb 2003 02:24:59 GMT (envelope-from ianjhart@ntlworld.com) From: ian j hart To: Andrew Thompson , stable@FreeBSD.ORG Subject: Re: IPF & IPFW Date: Sat, 1 Feb 2003 02:24:58 +0000 User-Agent: KMail/1.5 References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> <20030201011921.GE30498@blossom.cjclark.org> <3E3B2511.6090009@fud.org.nz> In-Reply-To: <3E3B2511.6090009@fud.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200302010224.58228.ianjhart@ntlworld.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Saturday 01 February 2003 1:38 am, Andrew Thompson wrote: > Crist J. Clark wrote: > >On Fri, Jan 31, 2003 at 11:17:10PM +0000, ian j hart wrote: > >>On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: > >> > >> > >>Thank you for the info. I guess it's OK that I forward > >>this info to the maintainer of the above mentioned > >>FAQ. > >> > >>regards > >>Claus > >> > >> > >>Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support > >> p? http://dk.shopping.yahoo.com/pcsupport/index.html > >> > >> > >>OTOH if you only need ipnat and not ipfilter you can do this... > >> > >>Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the > >> ipfw rules. > >> > >>I use this to "fix-up" packet source addreses. > >> > >>e.g. (warning from memory) > >>map rl0 from /32 to any port 25 -> /32 > >> > >>So outgoing email traffic appears to come from the alias IP. > >>[Don't ask, you don't want to know]. > > > >ipf(8) and ipnat(8) are the userland commands to interface with the > >same code in the kernel. You can't separate them. If you define > >IPFILTER in your kernel configuration, you get both, even if you only > >use one. If you load ipf.ko, you get both, even if you use only one. > >ipnat(8) occurs before ipfw(8) for incoming and after ipfw(8) for > >outgoing whether or not you are using ipf(8) rules. > > > >Packets get passed to "IPFilter-in-the-kernel" (the kernel code that > >both ipf(8) and ipnat(8) talk to) one place in ip_input.c and once in > >ip_output.c. The only way to change that is modify the code in those > >two. (Well, you might be able do do something with tunnels to get the > >effects, but it's still true for each step of the tunnel(s).) > > Thanks everyone for your help, > > The bit I was having trouble with was doing two transparent proxies > depending if the user had logged in or not, one to squid, the other to a > static page telling them to log in. I have actually reworked my ipfw > rules so I dont need ipf anymore and its all working. :) > > This thread can be dropped unless you all want to discuss the ordering > more. IMHO Christ is right. Who's arguing? Your original query was not specific enough. = I am writing an app to do pre-pay internet and are using a combination of ipf and ipfw. I stupidly assumed that ipfw ran before ipf, of course its the other way around. This has put a hurdle in my design, is there an easy way to change the order of the two? or do I need to redesign :( = All I was pointing out is a "loophole". If source address munging is what you wanted, I'd have been right :)) -- ian j hart Quoth the raven, bite me! Salem Saberhagen (Episode LXXXI: The Phantom Menace) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message