'Re: How to Force Packet Traversal Order (IPFW2 => PF)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: How to Force Packet Traversal Order (IPFW2 => PF)
From:       alfadev via freebsd-ipfw <freebsd-ipfw () FreeBSD ! org>
Date:       2021-08-02 8:38:06
Message-ID: fv2AxuQ5R1suFH6GVt_V_Ryu7TC2rYppV8lfVvhgbShsjNpzoy3O1hgoBwvf5QFEFwcq3d4tk_RVd_SwOBEuPTsOFnswnRRMOflVBl_2cjw= () protonmail ! com
[Download RAW message or body]

Thank you all ,
I made further research and found same issue (Multi WAN + Captive Portal not working \
when pf+ipfw enabled same time) on OPNSENSE

first mention is here:
https://github.com/opnsense/core/issues/1166

here is the OPNSENSE solution:
https://git.furworks.de/opensourcemirror/opnsense-src/commit/83fd8a61b942d84f553e53127c4be02b318f7cf4


https://reviews.freebsd.org/D8109
https://reviews.freebsd.org/D8109

i will try solutions above links and hope this helps me and others..

------- Original Message -------

On Sunday, August 1st, 2021 at 1:19 AM, Martin Beran <martin@mber.cz> wrote:

> pá 30. 7. 2021 v 13:41 odesílatel alfadev via freebsd-ipfw <
> 
> freebsd-ipfw@freebsd.org> napsal:
> 
> > Hi,
> > 
> > I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
> > 
> > According to my observations firewalls are following this order all of my
> > 
> > scenarios PF => IPFW2. I see this exactly When i use PF's route-to option .
> > 
> > When i create Load-Balancing rule using PF's route-to, packets not entering
> > 
> > into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidth,
> > 
> > captive portal etc. does not works.
> > 
> > So that
> > 
> > i am trying to do this order:
> > 
> > input => ipfw => pf
> > 
> > but i think i cannot change this order without touching kernel level .
> > 
> > when i made some research i found this
> > 
> > https://www.opennet.ru/tips/info/1431.shtml
> 
> I think that you do not need to touch kernel source, nor build a custom
> 
> kernel. The order of calling packet filtering modules depends on the order
> 
> of registering the modules to packet processing hooks. Instead of loading
> 
> the modules by their respective startup scripts, you can load them in the
> 
> required order by including them in /etc/rc.conf in variable kld_list. I do
> 
> not remember if the order of calling is the same or the opposite of the
> 
> order of module loading.
> 
> Martin Beran


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic