[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipfw vs ipchains

To: Didier Kasole <didier at cs-net.cd>
Subject: Re: ipfw vs ipchains
From: Brian Candler <B.Candler at pobox.com>
Date: Mon, 4 Feb 2002 10:12:40 +0000
Cc: afnog at afnog.org
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: afnog-outgoing at afnog.org
Delivered-To: afnog at afnog.org
In-Reply-To: <000401c1abe3$81199d70$6601a8c0 at shell.cd>; from didier at cs-net.cd on Sat, Feb 02, 2002 at 01:12:18PM +0100
References: <000401c1abe3$81199d70$6601a8c0 at shell.cd>
Sender: owner-afnog at afnog.org
User-Agent: Mutt/1.2.5i

On Sat, Feb 02, 2002 at 01:12:18PM +0100, Didier Kasole wrote:
>    what is the equivalent using ipfw on freeBSD box?

One way is as follows:

(in /etc/rc.conf)

natd_enable="YES"
natd_interface="xl0"        -- or whatever your 'outside' interface is
firewall_enable="YES"
firewall_type="OPEN"

Plus compile your kernel with:

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT

The second and third are optional: VERBOSE allows logging, and
DEFAULT_TO_ACCEPT makes it harder to lock yourself out of the machine by
flushing the firewall rules and leaving DENY ALL.

This only works for ethernet uplinks; if you are running ppp as your uplink,
use the nat flags to ppp instead (not pppd)

The second way is to use ipfilter which has a separate NAT configuration. I
have not used it, but it has the advantage of being compatible with ipfilter
under Solaris. See 'man ipf' and for more documentation, go to
http://freshmeat.net/ and search on 'ipfilter'

B.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

Follow-Ups:
- Re: ipfw vs ipchains
  - From: "Antonio Godinho" <antonio at nambu.uem.mz>

References:
- ipfw vs ipchains
  - From: "Didier Kasole" <didier at cs-net.cd>
- ipfw vs ipchains
  - From: "Didier Kasole" <didier at cs-net.cd>

Prev by Date: New mailserver running Sendmail
Next by Date: Re: New mailserver running Sendmail
Prev by thread: ipfw vs ipchains
Next by thread: Re: ipfw vs ipchains
Index(es):
- Date
- Thread