[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipfw vs ipchains

To: Antonio Godinho <antonio at nambu.uem.mz>
Subject: Re: ipfw vs ipchains
From: Brian Candler <B.Candler at pobox.com>
Date: Mon, 4 Feb 2002 18:45:12 +0000
Cc: afnog at afnog.org
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: afnog-outgoing at afnog.org
Delivered-To: afnog at afnog.org
In-Reply-To: <20020204154535.A8053 at linnet.org>; from B.Candler at pobox.com on Mon, Feb 04, 2002 at 03:45:36PM +0000
References: <000401c1abe3$81199d70$6601a8c0 at shell.cd>; <20020204101239.A6629 at linnet.org> <7569AA57ED at nambu.uem.mz> <20020204154535.A8053 at linnet.org>
Sender: owner-afnog at afnog.org
User-Agent: Mutt/1.2.5i

On Mon, Feb 04, 2002 at 03:45:36PM +0000, Brian Candler wrote:
> As it happens I'm just playing with ipfilter now, I might post some notes
> later...

It's not too bad to set up. In the kernel you put

options         IPFILTER
options         IPFILTER_LOG

In /etc/rc.conf:

gateway_enable="YES"
ipfilter_enable="YES"
ipmon_enable="YES"
ipnat_enable="YES"

In /etc/ipnat.rules:

map xl0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map xl0 192.168.0.0/16 -> 0/32 portmap tcp/udp 20000:30000
map xl0 192.168.0.0/16 -> 0/32

Then you need a ruleset in /etc/ipf.rules, which at the minimum would be

pass in quick all
pass out quick all

More details at http://coombs.anu.edu.au/~avalon/
(the documentation is not particularly good, but then neither is ipfw's)

It has the advantage of being relatively clean to combine NAT and packet
filtering.

B.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

Follow-Ups:
- Re: ipfw vs ipchains
  - From: "Didier Kasole" <didier at cs-net.cd>

References:
- ipfw vs ipchains
  - From: "Didier Kasole" <didier at cs-net.cd>
- Re: ipfw vs ipchains
  - From: Brian Candler <B.Candler at pobox.com>
- Re: ipfw vs ipchains
  - From: "Antonio Godinho" <antonio at nambu.uem.mz>
- Re: ipfw vs ipchains
  - From: Brian Candler <B.Candler at pobox.com>
- Re: ipfw vs ipchains
  - From: Brian Candler <B.Candler at pobox.com>

Prev by Date: Re: ipfw vs ipchains
Next by Date: Re: ipfw vs ipchains
Prev by thread: Re: ipfw vs ipchains
Next by thread: Re: ipfw vs ipchains
Index(es):
- Date
- Thread