From owner-freebsd-questions@FreeBSD.ORG Fri Aug 1 13:14:38 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 12E03761 for ; Fri, 1 Aug 2014 13:14:38 +0000 (UTC) Received: from mail-yh0-x22b.google.com (mail-yh0-x22b.google.com [IPv6:2607:f8b0:4002:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C5E512CED for ; Fri, 1 Aug 2014 13:14:37 +0000 (UTC) Received: by mail-yh0-f43.google.com with SMTP id 29so2525961yhl.16 for ; Fri, 01 Aug 2014 06:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WFgHTR55rZM+WWXHVDMkpyIOM9jcTsA3ti565+ZFLtQ=; b=ti8XxjLpy0SoQCNHyZkD+yqaY39shuIvMCr6Znipvfb4cwfss5CHrkDTAGUrnplDb1 jcI7qHmjS4uqRQ+LSnYPu30uiSspGhyoFR87dPuZFM1hJOQotTYdpyshWMeWXN8fVnx2 d4Zp6sLVO7ihvvUejZOXWOfg2x6rno9vU55ZUab2DG49w9ftrURW+PPiWp2ySRu5tvbO jsKiOwjHVBmUcIky1ArS1IBNLuto4nmwo+Jb+YQWGlcKGlH/rWaCnGt1sWczM6jQ63pf FemW7E5npaWi4GJ/srDB9xP5RL5N9nedhdIZNGkkj4RvtkQrGRxIHvoqjxcHUN2UtoLR J/eQ== MIME-Version: 1.0 X-Received: by 10.236.227.230 with SMTP id d96mr8376465yhq.100.1406898876885; Fri, 01 Aug 2014 06:14:36 -0700 (PDT) Received: by 10.170.132.80 with HTTP; Fri, 1 Aug 2014 06:14:36 -0700 (PDT) In-Reply-To: <53DB9017.3000304@buildingonline.com> References: <53C706C9.6090506@com.jkkn.dk> <6326AB9D-C19A-434B-9681-380486C037E2@lastsummer.de> <53CB4736.90809@bluerosetech.com> <201407200939020335.0017641F@smtp.24cl.home> <788274E2-7D66-45D9-89F6-81E8C2615D14@lastsummer.de> <201407201230590265.00B479C4@smtp.24cl.home> <20140729103512.GC89995@FreeBSD.org> <53DA304E.6020105@herveybayaustralia.com.au> <20140731134147.GH2402@glebius.int.ru> <53DB9017.3000304@buildingonline.com> Date: Fri, 1 Aug 2014 14:14:36 +0100 Message-ID: Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: krad To: Dan Busarow Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2014 13:14:38 -0000 that was never the problem, it was always tricky building stateful rulesets with nat. From what i remember it was due to the state stable getting parsed to early ie before the natting rule if your ruleset wasnt 100% puka. It caught quite a few people out who i knew. It was over 12 years ago though so my memory is hazy on it, but as soon as i tried pf i found it much easier, so didn't look back. On 1 August 2014 14:03, Dan Busarow wrote: > > On 8/1/14, 1:39 AM, krad wrote: > >> I always found natting in ipfw rather awkward and harder than in pf. >> Looking at the man page it doesnt seem to have changed. I should probably >> give it another go though as it has been about 10 years now >> > > Couldn't be much easier than the way it works now > > e.g. > > firewall_enable="YES" > firewall_type="OPEN" > natd_enable="YES" > natd_interface="em0" > natd_flags="-s -m -u" > > All of the builtin rulesets know about NAT > > My home network has two internal nets each with it's own wifi AP and the > above handles it. > > natd_interface is your outside facing interface. > > Dan > > > > > >> >> On 31 July 2014 14:41, Gleb Smirnoff wrote: >> >> On Thu, Jul 31, 2014 at 10:02:22PM +1000, Da Rock wrote: >>> D> Without diminishing your efforts so far, what do you think about >>> D> pitching all efforts into IPFW to combine effort and reduce overhead >>> of >>> D> maintaining separate firewalls in the core? Is there an advantage to >>> D> having our own pf? >>> >>> Is there any disadvantage keeping it? It is a plugin. It is optional >>> and loadable. I removed most additions to the network stack that live >>> outside netpfil/pf. >>> >>> Some people like it and use it. >>> >>> It is also the only tool to configure ALTQ now. >>> >>> -- >>> Totus tuus, Glebius. >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >>> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd.org" >> >> _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >