Date: Thu, 29 Jul 2004 00:45:55 -0700 From: Michael DeMan <michael@staff.openaccess.org> To: Jeremie Le Hen <jeremie.le-hen@epita.fr> Cc: Charlie Schluting <charlie@schluting.com> Subject: Re: packet order, ipf or ipfw Message-ID: <52E06F6C-E133-11D8-A60F-000A95CE3376@staff.openaccess.org> In-Reply-To: <20040728232352.GB8838@tuileries.epita.fr> References: <41081955.5090204@schluting.com> <20040728232352.GB8838@tuileries.epita.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, We're actually planning to migrate to PF instead of IPF+IPFW to meet these needs. IPFW from what I've gathered over the past few years is the traditional FreeBSD way of handling firewalls, nat and bandwidth limiting. We found IPFW a little complex to use, granted very powerful. We ended up with needing to deliver and support a good number of 'machines', and total cost of ownership became important. Both in terms of automated and traditional management of deployments. Our plan for when 5-STABLE comes out is to migrate to PF directly (yes, risk, yes we're a small business) and expect it to perform quite well and give us a unified and clearer way in terms of config-files to manage firewall, NAT and QoS issues. I would at least read the OpenBSD docs on PF and check them out. Darren Reed has done a wonderful job with IPF and the latest code clean up is very nice as well, but PF is far superior, at least in regards to manageability. - mike On Jul 28, 2004, at 4:23 PM, Jeremie Le Hen wrote: > Hello Charlie, > >> I'm running ipf because I like it ...but now I need to use ipfw's pipe >> feature. I was thinking that I could just run both, and keep all my >> rules in ipf, then in ipfw: limit bandwidth for a few vlans, then >> allow all. >> >> It didn't work (no rate-limiting happened).. and I'm thinking that ipf >> is passing the packets and bypassing ipfw? Or something.. >> >> So, what is the order, if I'm running ipf AND ipfw at the same time? >> Will it work at all in this manner? > > Max Laier told you about FreeBSD 5.x which includes PFIL_HOOKS, but > since you did not mention whether you are using -STABLE or -CURRENT. > AFAIK, ipf takes precedence on ipfw for incoming packets on -STABLE, > and this is of course symmetric for outgoing ones. > > But you should be warned that using ipnat(8) in conjunction to ipfw > pipes may lead to an incorrect behaviour : > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61685 > > Hackers, is this bug still alive in -CURRENT ? > > Best regards, > -- > Jeremie LE HEN aka TtZ/TataZ > jeremie.le-hen@epita.fr > > ttz@epita.fr > Hi! I'm a .signature virus! Copy me into your ~/.signature to help me > spread! > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > Michael F. DeMan Director of Technology OpenAccess Network Services Bellingham, WA 92825 michael@staff.openaccess.org 360-647-0785
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52E06F6C-E133-11D8-A60F-000A95CE3376>