[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipfw vs ipchains



On Mon, Feb 04, 2002 at 03:45:36PM +0000, Brian Candler wrote:
> As it happens I'm just playing with ipfilter now, I might post some notes
> later...

It's not too bad to set up. In the kernel you put

options         IPFILTER
options         IPFILTER_LOG

In /etc/rc.conf:

gateway_enable="YES"
ipfilter_enable="YES"
ipmon_enable="YES"
ipnat_enable="YES"

In /etc/ipnat.rules:

map xl0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map xl0 192.168.0.0/16 -> 0/32 portmap tcp/udp 20000:30000
map xl0 192.168.0.0/16 -> 0/32

Then you need a ruleset in /etc/ipf.rules, which at the minimum would be

pass in quick all
pass out quick all

More details at http://coombs.anu.edu.au/~avalon/
(the documentation is not particularly good, but then neither is ipfw's)

It has the advantage of being relatively clean to combine NAT and packet
filtering.

B.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org