[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipfw vs ipchains
On Mon, Feb 04, 2002 at 03:45:36PM +0000, Brian Candler wrote:
> As it happens I'm just playing with ipfilter now, I might post some notes
> later...
It's not too bad to set up. In the kernel you put
options IPFILTER
options IPFILTER_LOG
In /etc/rc.conf:
gateway_enable="YES"
ipfilter_enable="YES"
ipmon_enable="YES"
ipnat_enable="YES"
In /etc/ipnat.rules:
map xl0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map xl0 192.168.0.0/16 -> 0/32 portmap tcp/udp 20000:30000
map xl0 192.168.0.0/16 -> 0/32
Then you need a ruleset in /etc/ipf.rules, which at the minimum would be
pass in quick all
pass out quick all
More details at http://coombs.anu.edu.au/~avalon/
(the documentation is not particularly good, but then neither is ipfw's)
It has the advantage of being relatively clean to combine NAT and packet
filtering.
B.
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org