IPFW + dummynet + other firewall
Cristian KLEIN
cristi at net.utcluj.ro
Mon Dec 4 17:22:20 PST 2006
Hello everybody,
I sure hope this is relevant for the list.
I have been using IPFW and PF in FreeBSD 5.4 for some time, because I
like PF's NAT and ftp-proxy, but I can't live without pipes. While
giving me joy, this combination also results in some strange behaviour.
In the default configuration (i.e. firewall_enable and pf_enable="YES"
in rc.conf) ipfw loads first and pf last, which has the great advantage
of seeing untranslated packets in ipfw.
When combining ipfw + dummynet + pf, some strange behaviour occurs, due
to the fact that dummynet reinjects the packets into ip_input(). The
path of incomming packets looks like this: wire -> pf -> ipfw ->
dummynet -> pf -> ipfw -> kernel.
1) rdr rules to localhost (required for ftp-proxy etc.) which go through
pipes fail, because ip_input() drops 127/8.
2) pass log rules make packets appear twice on pflog.
Other issues may exist.
I believe that the single solution would be something like in the
pre-PFIL times, when ip_input() contained a jump directly to ipfw, and
the packet was processed from where it left. However, this is pretty
hard to implement in PFIL.
Any ideas?
More information about the freebsd-ipfw
mailing list