Statefull filtering with IPFW + IPFilter (was: Packet flow
Vandyuk Eugene
duke at irpen.kiev.ua
Fri Jun 6 02:44:35 PDT 2003
On Thu, Jun 05, 2003 at 01:39:25PM +1000, Darren Reed wrote:
> In some mail from Fernando Gleiser, sie said:
> >
> > > OUTGOING: IPF -> IPNAT -> IPFW
> > > INCOMING: IPFW -> IPNAT -> IPF
> >
> > There was some discusion some time ago in ipf's mailing list. I don't remember
> > Darren's position on this.
>
> My perspective is that it best serves IPFilter for it to be like that.
>
> I'm not sure why it isn't, except to say that it's entirely possible that
> I have applied a patch incorrectly.
>
> Darren
But it's no so hard to move IpHack section in ip_input.c to call after IPFW
proxessing? In this way we can keep all of the functionality all of IPFW,
IPFilter and IPNAT. Because now people who want to use IPNAT with his kernel
processing (versus NATd with userland processing) forced to use IPFilter and
fully rebuild their firewall.
It's some trouble with this changes in ip_input.c processing ?
More information about the freebsd-security
mailing list