Date: Sat, 1 Feb 2003 02:24:58 +0000 From: ian j hart <ianjhart@ntlworld.com> To: Andrew Thompson <andy@fud.org.nz>, stable@FreeBSD.ORG Subject: Re: IPF & IPFW Message-ID: <200302010224.58228.ianjhart@ntlworld.com> In-Reply-To: <3E3B2511.6090009@fud.org.nz> References: <20030131222558.61732.qmail@web14105.mail.yahoo.com> <20030201011921.GE30498@blossom.cjclark.org> <3E3B2511.6090009@fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 01 February 2003 1:38 am, Andrew Thompson wrote: > Crist J. Clark wrote: > >On Fri, Jan 31, 2003 at 11:17:10PM +0000, ian j hart wrote: > >>On Friday 31 January 2003 10:25 pm, Claus Guttesen wrote: > >> > >> > >>Thank you for the info. I guess it's OK that I forward > >>this info to the maintainer of the above mentioned > >>FAQ. > >> > >>regards > >>Claus > >> > >> > >>Har du problemer med din hjemmecomputer? F? hj?lp med Yahoo!s PC-support > >> p? http://dk.shopping.yahoo.com/pcsupport/index.html > >> > >> > >>OTOH if you only need ipnat and not ipfilter you can do this... > >> > >>Don't compile in ipf. Turn on ipnat in rc.conf it will run after all the > >> ipfw rules. > >> > >>I use this to "fix-up" packet source addreses. > >> > >>e.g. (warning from memory) > >>map rl0 from <my-ip>/32 to any port 25 -> <alias-ip>/32 > >> > >>So outgoing email traffic appears to come from the alias IP. > >>[Don't ask, you don't want to know]. > > > >ipf(8) and ipnat(8) are the userland commands to interface with the > >same code in the kernel. You can't separate them. If you define > >IPFILTER in your kernel configuration, you get both, even if you only > >use one. If you load ipf.ko, you get both, even if you use only one. > >ipnat(8) occurs before ipfw(8) for incoming and after ipfw(8) for > >outgoing whether or not you are using ipf(8) rules. > > > >Packets get passed to "IPFilter-in-the-kernel" (the kernel code that > >both ipf(8) and ipnat(8) talk to) one place in ip_input.c and once in > >ip_output.c. The only way to change that is modify the code in those > >two. (Well, you might be able do do something with tunnels to get the > >effects, but it's still true for each step of the tunnel(s).) > > Thanks everyone for your help, > > The bit I was having trouble with was doing two transparent proxies > depending if the user had logged in or not, one to squid, the other to a > static page telling them to log in. I have actually reworked my ipfw > rules so I dont need ipf anymore and its all working. :) > > This thread can be dropped unless you all want to discuss the ordering > more. IMHO Christ is right. Who's arguing? Your original query was not specific enough. = I am writing an app to do pre-pay internet and are using a combination of ipf and ipfw. I stupidly assumed that ipfw ran before ipf, of course its the other way around. This has put a hurdle in my design, is there an easy way to change the order of the two? or do I need to redesign :( = All I was pointing out is a "loophole". If source address munging is what you wanted, I'd have been right :)) -- ian j hart Quoth the raven, bite me! Salem Saberhagen (Episode LXXXI: The Phantom Menace) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302010224.58228.ianjhart>