Re: ipfw vs ipchains

["Didier Kasole" <didier at cs-net.cd>]

Thanks All

Every thing works fine now using ipfilter

didier
----- Original Message -----
From: "Brian Candler" <B.Candler at pobox.com>
To: "Antonio Godinho" <antonio at nambu.uem.mz>
Cc: <afnog at afnog.org>
Sent: Monday, February 04, 2002 7:45 PM
Subject: Re: ipfw vs ipchains


> On Mon, Feb 04, 2002 at 03:45:36PM +0000, Brian Candler wrote:
> > As it happens I'm just playing with ipfilter now, I might post some
notes
> > later...
>
> It's not too bad to set up. In the kernel you put
>
> options         IPFILTER
> options         IPFILTER_LOG
>
> In /etc/rc.conf:
>
> gateway_enable="YES"
> ipfilter_enable="YES"
> ipmon_enable="YES"
> ipnat_enable="YES"
>
> In /etc/ipnat.rules:
>
> map xl0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
> map xl0 192.168.0.0/16 -> 0/32 portmap tcp/udp 20000:30000
> map xl0 192.168.0.0/16 -> 0/32
>
> Then you need a ruleset in /etc/ipf.rules, which at the minimum would be
>
> pass in quick all
> pass out quick all
>
> More details at http://coombs.anu.edu.au/~avalon/
> (the documentation is not particularly good, but then neither is ipfw's)
>
> It has the advantage of being relatively clean to combine NAT and packet
> filtering.
>
> B.
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.5
>
> To send a message to this list, e-mail afnog at afnog.org
> To send a request to majordomo, e-mail majordomo at afnog.org and put
> your request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog at afnog.org
>


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org