Other How to change Packet Traversal order in FreeBSD IPFW and PF Firewalls in Kernel level ?

Hi,
I have to use both IPFW and PF sametime in my freebsd 12.2 gateway

normally firewalls follows this order pf => ipfw as you now

i am trying to do this order:
input => ipfw => pf


but i think i cannot change this order without touching kernel level .
when i made some research i found this

IPFW and PF startup order definitions are in this files
Code:
/usr/src/sys/netpfil/ipfw/ip_fw2.c
/usr/src/sys/netpfil/pf/pf_ioctl.c

and tried instructions below but i couldn't changed that order.

Any help would be appreciated at this point..

these can be helpful
Packet Traversal in FreeBSD Packet Filters
[ fix ]​
The order of passage of packets when using ipfilter, pf and ipfw at the same time:
When loading filters by modules, the order will be determined by the order of loading the modules.
This is because packet filters register themselves with pfil (9).

When all filters are included in the kernel, the order will be determined by SYSINIT.
To determine the order, you need to open the sys / kernel.h file.
It defines the order in which certain subsystems are initialized. Now, the simplest:

# grep DECLARE_MODULE netinet / ip_fw_pfil.c
DECLARE_MODULE (ipfw, ipfwmod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
# grep DECLARE_MODULE contrib / pf / net / pf_ioctl.c
DECLARE_MODULE (pf, pf_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_FIRST);
# grep DECLARE_MODULE contrib / ipfilter / netinet / mlfk_ipl.c
DECLARE_MODULE (ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);

From here follows: ipfilter will be first, then pf, then ipfw.
 
You can't. There's no supported way to do this.

Perhaps loading the modules in a fixed order would work, but then you're still mixing two firewalls which is not a supported configuration. I know of several ways this breaks. Do not rely on it, because sooner or later (at a time most inconvenient to you) this will break for you too. Pick a firewall and stick with it. Do not go down the road of mixing them, down that road lies madness.
 
You can't. There's no supported way to do this.

Perhaps loading the modules in a fixed order would work, but then you're still mixing two firewalls which is not a supported configuration. I know of several ways this breaks. Do not rely on it, because sooner or later (at a time most inconvenient to you) this will break for you too. Pick a firewall and stick with it. Do not go down the road of mixing them, down that road lies madness.
For me ipfw and pf completes my needs when they work together. I need IPFW to limit bandwidth per mac addr , captive portal etc. I can not do this with PF so i think there must be a solution .
Loading modules in a fixed order didn't worked for me.
 
For me ipfw and pf completes my needs when they work together. I need IPFW to limit bandwidth per mac addr , captive portal etc. I can not do this with PF so i think there must be a solution .
And what is it that you cannot do with ipfw?
 
And what is it that you cannot do with ipfw?
1. pf firewall supported route-to command for policy routing (Multi WAN support loadbalance and failover)

Sample : pass in log (all) quick on { em4 } route-to { ( em0 172.17.10.1 ) ( em1 172.17.20.1 ) } round-robin proto { tcp udp } from any to any
I couldn't do this rule on ipfw

2. pf firewall supported states tracking and kill states
sample : pfctl -k 192.168.20.5
ipfw -d show
---> shows all states

I can't kill states for ip or network

3. pf firewall supported table expire
pfctl -t blacklist - T expire 86400

I can't use expire option for tables on ipfw

but I can't find any documentations for above mentions.

how can I do it on ipfw ?

Any help would be appreciated at this point..
 
Ah, yes, thats fancy. :)

1. I don't know of a strict round-robin, but for load-balancing one could try something like this (not tested):
Code:
ipfw 10 prob .33 skipto 50
ipfw 20 prob .50 skipto 40
ipfw 30 forward em2
ipfw 40 forward em1
ipfw 50 forward em0
The forward destination could be a tablearg, then something might detect an outage and change the table for failover.

2. The dynamic rules should disappear when the parent rule gets deleted.

3. That would probably need an external program that maintains the table content according to some desired logic.
 
miniupnpd
Should actually work with IPFW. If the autodetect doesn't work properly, build it from ports and enable IPFW.
Code:
     AUTODETECT_FW=on: Try to autodetect firewall type
     PF=off: Use PF as firewall type
     IPFW=off: Use IPFW as firewall type
 
Back
Top