IPFW2 ve -stable a aktualizace source upgrade

Roman Neuhauser neuhauser at bellavista.cz
Mon Aug 5 13:10:31 CEST 2002 

> Date: Mon, 5 Aug 2002 11:12:14 +0200 (CEST)
> From: Martin Horcicka <horcicka at freebsd.cz>
> To: users-l at freebsd.cz
> Subject: Re: IPFW2 ve -stable a aktualizace source upgrade
> 
> Roman Neuhauser (2002-08-05 10:46 +0200):
> 
> > From: Ales Kotmel <kotmel at annexnet.cz>                                
> > To: <users-l at freebsd.cz>                                             
> > Subject: RE: IPFW2 ve -stable a aktualizace source upgrade           
> > Date: Mon, 5 Aug 2002 08:17:51 +0200                                    
> >
> > > Juknete pro inspiraci sem
> > >
> > > http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO
> >
> >     z toho clanku jsem v tomhle threadu minimalne jednou citoval. takze
> >     jeste jednou:
> >
> >     Normally the rule to allow the packets from local LAN Nic cards to
> >     pass through the ipfw firewall come before the divert natd rule as
> >     seen in the rc.firewall file. But for advanced stateful rules it has
> >     to be moved after the divert natd rule and the 'keep-state' option
> >     has to be used so the dynamic rules table knows about the packet
> >     activity before they get passed through the rules file the second
> >     time. Technically this means each packet will have 2 sets of dynamic
> >     table rules, one set for the private Nic interface and one for the
> >     public Nic interface. This is an resource waste, decreases
> >     performance, and not necessary if the nat function is done outside
> >     of ipfw.
> >
> >     a k tomu bych dodal, ze na http://www.freebsd.cz/~michal/ se ve
> >     vsech ukazkach pouziva jenom setup / established.
> 
> zacinam se v obecnosti teto diskuze trochu ztracet - nemohli bychom se
> dostat do konkretnejsi roviny? Treba, ze by nektery odpurce IPFW
> napsal nejaky kousek firewallu, ktery podle nej nejde udelat s IPFW
> efektivne? Ten vynatek nahore zrejme uplne nechapu.

    jde o to, ze ipfw, advanced stateful rules (keep-state/check-state)
    a natd jdou dohromady jenom tak, ze prohodite poradi divertu a
    ostatnich pravidel, takze kazdy paket projde dynamickymi (dynamicky
    tvorenymi) pravidly dvakrat. ale to jen prekladam co je napsano v te
    citaci nahore, a cele je to popsano na te url, ktera je taky v
    tomhle mailu.

    se setup / established tenhle problem neexistuje.

    "The simplest and best solution to the advanced stateful rules
    problem is to use 'user ppp -nat' for all dialup ISP environments
    and have no divert natd rule in the ipfw rules file."

-- 
Roman
Sel pantata / na prasata / boubelata / RATATATA!

More information about the Users-l mailing list