[ previous ] [ next ] [ threads ]
 From:  Peter Curran <peter at closeconsultants dot com>
 To:  "Chris Dickens" <chris at object dash zone dot net>
 Cc:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] any plans on switching to pf?
 Date:  Wed, 10 Nov 2004 16:21:15 +0000
On Wednesday 10 November 2004 13:12, Chris Dickens wrote:
> Does this pf on OpenBSD support bouncing of packets from the internal
> network on external IPs as I've been constantly flustered with m0n0wall's
> inability to do?

The simple answer is yes - sort of.

This issue is common to all firewall systems built around packet filters (and 
that includes PIX and FW-1).  The problem lies within the way in which NAT is 
implemented on what is, basically, a router with attitude.

PF does have a solution to this problem, but it can limit what you do in other 
parts of the rulebase.  There are other solutions, based on simple proxies, 
that are more elegant and this is how the 'bouncing' system works.

Take a look at the pf FAQ (ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt) 
in the NAT section and you will see the problem described along with three 
different solutions that have varying degrees of efficiency.

> From a 100 mile up perspective, how much trouble could it truly be to chop
> down OpenBSD to the basics like Manuel has done and port the web interface
> over to the OpenBSD platform then let everyone try and decide for
> themselves which is better?  Isn't the source code available for porting? 
> I'm sure minihttp and php and those things are also available on OpenBSD...

Like so many things in life, it is more complicated than it looks at first 
glance.  I have been working away quietly at doing just this for a while, but 
progress is slow with so many other things that are more urgent (including 
the OpenVPN stuff).



This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.