IPFW2 ve -stable a aktualizace source upgrade

[Roman Neuhauser]

> From: Ales Kotmel <kotmel at annexnet.cz>
> To: <users-l at freebsd.cz>
> Subject: RE: IPFW2 ve -stable a aktualizace source upgrade
> Date: Mon, 5 Aug 2002 08:17:51 +0200

    prosil bych, abyste pripisoval sve prispevky *pod* to, na co
    reagujete. nevim, jestli jde v outlooku nejak nastavit, aby vam
    daval kurzor rovnou pod text, takze nemuzu poradit s automatizaci.
 
> >     to je vsechno krasne, ale pouzivate check-state/keep-state nebo
> >     jenom setup/established?
> > 
> > > s ipf nemam primou zkusenost, nic mene hodne hezky je to popsano
> > > Michalem Kutnohorskym zde: http://www.freebsd.cz/~michal/
> > 
> >     tam jsem nasel prave jenom priklady na setup/established.
> 
> Juknete pro inspiraci sem
> 
> http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO

    z toho clanku jsem v tomhle threadu minimalne jednou citoval. takze
    jeste jednou:

    Normally the rule to allow the packets from local LAN Nic cards to
    pass through the ipfw firewall come before the divert natd rule as
    seen in the rc.firewall file. But for advanced stateful rules it has
    to be moved after the divert natd rule and the 'keep-state' option
    has to be used so the dynamic rules table knows about the packet
    activity before they get passed through the rules file the second
    time. Technically this means each packet will have 2 sets of dynamic
    table rules, one set for the private Nic interface and one for the
    public Nic interface. This is an resource waste, decreases
    performance, and not necessary if the nat function is done outside
    of ipfw.

    a k tomu bych dodal, ze na http://www.freebsd.cz/~michal/ se ve
    vsech ukazkach pouziva jenom setup / established.

-- 
Roman
Sel pantata / na prasata / boubelata / RATATATA!