Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 1 Aug 2021 00:19:53 +0200
From:      Martin Beran <martin@mber.cz>
Cc:        "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org>
Subject:   Re: How to Force Packet Traversal Order (IPFW2 => PF)
Message-ID:  <CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA@mail.gmail.com>
In-Reply-To: <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com>
References:  <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--000000000000314f7705c872bdb6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

p=C3=A1 30. 7. 2021 v 13:41 odes=C3=ADlatel alfadev via freebsd-ipfw <
freebsd-ipfw@freebsd.org> napsal:


> Hi,
> I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
>
> According to my observations firewalls are following this order all of my
> scenarios PF =3D> IPFW2. I see this exactly When i use PF's route-to opti=
on .
> When i create Load-Balancing rule using PF's route-to, packets not enteri=
ng
> into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidt=
h,
> captive portal etc. does not works.
> So that
> i am trying to do this order:
> input =3D> ipfw =3D> pf
>
> but i think i cannot change this order without touching kernel level .
> when i made some research i found [this](
> https://www.opennet.ru/tips/info/1431.shtml)
> https://www.opennet.ru/tips/info/1431.shtml
>

I think that you do not need to touch kernel source, nor build a custom
kernel. The order of calling packet filtering modules depends on the order
of registering the modules to packet processing hooks. Instead of loading
the modules by their respective startup scripts, you can load them in the
required order by including them in /etc/rc.conf in variable kld_list. I do
not remember if the order of calling is the same or the opposite of the
order of module loading.

Martin Beran

--000000000000314f7705c872bdb6--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA>