Date: Mon, 12 Mar 2001 10:24:38 -0600 From: "Thomas T. Veldhouse" <veldy@veldy.net> To: "Mike Harding" <mvh@ix.netcom.com> Cc: <arr@oceanwave.com>, <freebsd-stable@FreeBSD.ORG>, <christopher@schulte.org> Subject: Re: 4.2-R, bridging and ipfilter Message-ID: <005901c0ab10$ef3f8dc0$0100a8c0@cascade> References: <5.0.2.1.0.20010308160207.02762e18@pop.schulte.org> <002f01c0a8a7$c3e9fb30$3028680a@tgt.com> <20010309151929.F412D113E04@netcom1.netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
NAT is not bridging. IPFILTER does not work with bridging -- you will not protect packets flowing through a bridge, only the local machine. IPFIREWALL will filter bridged packets. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Mike Harding" <mvh@ix.netcom.com> To: <veldy@veldy.net> Cc: <arr@oceanwave.com>; <freebsd-stable@FreeBSD.ORG>; <christopher@schulte.org> Sent: Friday, March 09, 2001 9:19 AM Subject: Re: 4.2-R, bridging and ipfilter > > IPFILTER works great - we use it on a T1 at work for about 20 people > for NAT and transparent squid proxying and it never hiccups and there > is no noticeable load on the system. IPFW defaults to a 5 minute > timeout on sessions, ipfilter to 5 _days_ so it behaves much more like > what people expect. I suspect that ipfilter is used for more > 'industrial strength' uses. > > Also, the NAT in ipfilter is kernel based so it's quite fast. > > - Mike H. > > From: "Thomas T. Veldhouse" <veldy@veldy.net> > Date: Fri, 9 Mar 2001 08:46:43 -0600 > Content-Type: text/plain; > charset="iso-8859-1" > X-Priority: 3 > X-MSMail-Priority: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 > Sender: owner-freebsd-stable@FreeBSD.ORG > X-Loop: FreeBSD.ORG > Precedence: bulk > > IPFILTER is an alternative to IPFIREWALL. As far as I know, IPFILTER does > not work on bridged packets -- so you can not firewall you LAN transparently > using a IPFILTER bridge. IPFIREWALL does filter bridged packets. However, > I don't believe the stateful rules processing is as robust. I was getting > errors about too many states and such -- so I went back to IPFILTER using > IPNAT (using bimap). > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Christopher Schulte" <christopher@schulte.org> > To: <arr@oceanwave.com>; <freebsd-stable@FreeBSD.ORG> > Sent: Thursday, March 08, 2001 4:03 PM > Subject: Re: 4.2-R, bridging and ipfilter > > > > At 04:48 PM 3/8/2001 -0500, arr@oceanwave.com wrote: > > >Has anyone gotten bridging and ipfilter to work together with 4.2-R? > > > > Question: do you mean IPFIREWALL and bridging? > > > > If so, yes. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005901c0ab10$ef3f8dc0$0100a8c0>