current-users: IP Firewalling and IP Filetering

Subject: IP Firewalling and IP Filetering
To: None <current-users@NetBSD.ORG>
From: Dave Burgess <burgess@cynjut.neonramp.com>
List: current-users
Date: 06/08/1996 16:38:33
I have been playing around with IP Firewalling and IP Filtering all
week-end.  Here are some observations so far:

1.  There has been a recent change in the definition of the 'struct
ifnet' that has invalidated the members 'if_name' and 'if_unit'.  I am
guessing that these are the old names for the members 'if_xunit' and
'in_index', but I'm not familiar enough with the code to make it work.

2.  I can install the current version of ipfirewall, mostly by hand,
from the diff files provided from Version 2.0c.  The 2.0e stuff doesn't
go together as cleanly.  This strikes me as odd, since the new stuff
should go with the newer version of -current.  This software was last
tested with Version 1.1, so this stuff has changed in the past 6 months.

3.  I tried to install ip_fil2.3.  It was a complete failure.  This
package required about eight file updates, half of which were
invalidated by the ipfirewall additions.  One was just wrong (it was
looking for something in in_proto.c that I couldn't find.

4.  IPFirewall seems to work (I haven't tested it extensively yet).  I
will be playing with it more over the next couple weeks.

5.  IP_Fil2.3 doesn't work at all.  The system slowly grinds to a halt.
Commenting the "options IPFILTER" allowed the generation of a working
1.2 Alpha kernel.  This is a bummer, since I think IP_Fil will give me
the 'IP Proxy' or 'IP Masquerading' I am looking for.  If anyone has any
insight into this stuff, drop me a line.

Other stuff:  Thanks for fixing the LU005s probe so it doesn't try to
look for the controller more than it has to.  Thanks (I think) for
fixing the 1522 controller code.  My system was working fine with the
old code and I had a heck of a time trying to figure out why the new
code didn't work (until I found the drive in the middle of the chain
that was terminated).  Mea Culpa on that one.

All in all, the 1.2Alpha code seems to be ready to go.  Almost
everything seems to either work better or faster.

-- 
Dave Burgess  (The man of a thousand E-Mail addresses)
386bsd FAQ Maintainer / SysAdmin for the NetBSD system in my spare bedroom
"Just because something is stupid doesn't mean that there isn't someone
that wants to do it...."