Other How to change Packet Traversal order in FreeBSD IPFW and PF Firewalls in Kernel level ?

alfa

Member

Reaction score: 4
Messages: 25

Hi,
I have to use both IPFW and PF sametime in my freebsd 12.2 gateway

normally firewalls follows this order pf => ipfw as you now

i am trying to do this order:
input => ipfw => pf


but i think i cannot change this order without touching kernel level .
when i made some research i found this

IPFW and PF startup order definitions are in this files
Code:
/usr/src/sys/netpfil/ipfw/ip_fw2.c
/usr/src/sys/netpfil/pf/pf_ioctl.c

and tried instructions below but i couldn't changed that order.

Any help would be appreciated at this point..

these can be helpful
Packet Traversal in FreeBSD Packet Filters
[ fix ]​
The order of passage of packets when using ipfilter, pf and ipfw at the same time:
When loading filters by modules, the order will be determined by the order of loading the modules.
This is because packet filters register themselves with pfil (9).

When all filters are included in the kernel, the order will be determined by SYSINIT.
To determine the order, you need to open the sys / kernel.h file.
It defines the order in which certain subsystems are initialized. Now, the simplest:

# grep DECLARE_MODULE netinet / ip_fw_pfil.c
DECLARE_MODULE (ipfw, ipfwmod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
# grep DECLARE_MODULE contrib / pf / net / pf_ioctl.c
DECLARE_MODULE (pf, pf_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_FIRST);
# grep DECLARE_MODULE contrib / ipfilter / netinet / mlfk_ipl.c
DECLARE_MODULE (ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);

From here follows: ipfilter will be first, then pf, then ipfw.
 

Kristof Provost

Active Member
Developer

Reaction score: 73
Messages: 124

You can't. There's no supported way to do this.

Perhaps loading the modules in a fixed order would work, but then you're still mixing two firewalls which is not a supported configuration. I know of several ways this breaks. Do not rely on it, because sooner or later (at a time most inconvenient to you) this will break for you too. Pick a firewall and stick with it. Do not go down the road of mixing them, down that road lies madness.
 
OP
alfa

alfa

Member

Reaction score: 4
Messages: 25

You can't. There's no supported way to do this.

Perhaps loading the modules in a fixed order would work, but then you're still mixing two firewalls which is not a supported configuration. I know of several ways this breaks. Do not rely on it, because sooner or later (at a time most inconvenient to you) this will break for you too. Pick a firewall and stick with it. Do not go down the road of mixing them, down that road lies madness.
For me ipfw and pf completes my needs when they work together. I need IPFW to limit bandwidth per mac addr , captive portal etc. I can not do this with PF so i think there must be a solution .
Loading modules in a fixed order didn't worked for me.
 

Kristof Provost

Active Member
Developer

Reaction score: 73
Messages: 124

Then migrate fully to ipfw. Mixing firewalls is not a supported configuration. You are on your own with this.
 

PMc

Daemon

Reaction score: 676
Messages: 1,358

For me ipfw and pf completes my needs when they work together. I need IPFW to limit bandwidth per mac addr , captive portal etc. I can not do this with PF so i think there must be a solution .
And what is it that you cannot do with ipfw?
 

Jose

Daemon

Reaction score: 1,002
Messages: 1,207

And what is it that you cannot do with ipfw?
"The pf firewall currently relies on ALTQ for traffic shaping. ALTQ is not enabled in default kernel builds, and is not compatible with all network drivers (only drivers which implement if_start())."
 
OP
alfa

alfa

Member

Reaction score: 4
Messages: 25

And what is it that you cannot do with ipfw?
1. pf firewall supported route-to command for policy routing (Multi WAN support loadbalance and failover)

Sample : pass in log (all) quick on { em4 } route-to { ( em0 172.17.10.1 ) ( em1 172.17.20.1 ) } round-robin proto { tcp udp } from any to any
I couldn't do this rule on ipfw

2. pf firewall supported states tracking and kill states
sample : pfctl -k 192.168.20.5
ipfw -d show
---> shows all states

I can't kill states for ip or network

3. pf firewall supported table expire
pfctl -t blacklist - T expire 86400

I can't use expire option for tables on ipfw

but I can't find any documentations for above mentions.

how can I do it on ipfw ?

Any help would be appreciated at this point..
 

PMc

Daemon

Reaction score: 676
Messages: 1,358

Ah, yes, thats fancy. :)

1. I don't know of a strict round-robin, but for load-balancing one could try something like this (not tested):
Code:
ipfw 10 prob .33 skipto 50
ipfw 20 prob .50 skipto 40
ipfw 30 forward em2
ipfw 40 forward em1
ipfw 50 forward em0
The forward destination could be a tablearg, then something might detect an outage and change the table for failover.

2. The dynamic rules should disappear when the parent rule gets deleted.

3. That would probably need an external program that maintains the table content according to some desired logic.
 

bokutin

New Member

Reaction score: 1
Messages: 7

> And what is it that you cannot do with ipfw?

ftp-proxy and miniupnpd
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,348
Messages: 38,870

miniupnpd
Should actually work with IPFW. If the autodetect doesn't work properly, build it from ports and enable IPFW.
Code:
     AUTODETECT_FW=on: Try to autodetect firewall type
     PF=off: Use PF as firewall type
     IPFW=off: Use IPFW as firewall type
 
Top