Hi,
I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
normally firewalls follows this order pf => ipfwas you now
i am trying to do this order:
input => ipfw => pf
but i think i cannot change this order without touching kernel level .
when i made some research i found this
IPFW and PF startup order definitions are in this files
and tried instructions below but i couldn't changed that order.
Any help would be appreciated at this point..
these can be helpful
I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
normally firewalls follows this order pf => ipfw
i am trying to do this order:
input => ipfw => pf
but i think i cannot change this order without touching kernel level .
when i made some research i found this
IPFW and PF startup order definitions are in this files
Code:
/usr/src/sys/netpfil/ipfw/ip_fw2.c
/usr/src/sys/netpfil/pf/pf_ioctl.c
and tried instructions below but i couldn't changed that order.
Any help would be appreciated at this point..
these can be helpful
FreeBSD 8.1: pf не удаётся загрузить после ipfw
Имеется шлюз на FreeBSD. Для фильтрации используется ipfw, для nat - pf. Пакеты на внешнем интерфейсе ходили по цепочке input => pf => ipfw => routing => ipfw => pf => output. Чтобы pf регистрировался после ipfw, в заголовок /etc/rc.d/ipfw добавлялась строка "BEFORE: pf" На Free...
forum.nag.ru
Packet Traversal in FreeBSD Packet Filters [ fix ]The order of passage of packets when using ipfilter, pf and ipfw at the same time:
When loading filters by modules, the order will be determined by the order of loading the modules.
This is because packet filters register themselves with pfil (9).
When all filters are included in the kernel, the order will be determined by SYSINIT.
To determine the order, you need to open the sys / kernel.h file.
It defines the order in which certain subsystems are initialized. Now, the simplest:
# grep DECLARE_MODULE netinet / ip_fw_pfil.c
DECLARE_MODULE (ipfw, ipfwmod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
# grep DECLARE_MODULE contrib / pf / net / pf_ioctl.c
DECLARE_MODULE (pf, pf_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_FIRST);
# grep DECLARE_MODULE contrib / ipfilter / netinet / mlfk_ipl.c
DECLARE_MODULE (ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
From here follows: ipfilter will be first, then pf, then ipfw.