On Sun, 7 Sep 2008, Patrick Welche wrote:
On Sun, Sep 07, 2008 at 08:29:04AM -0700, Paul Goyette wrote:The obvious solution might be "turn off ipfilter/ipnat" but I need ipnat - I don't have enough fixed IP addresses for everything - and I'm not willing to go out and buy a stand-alone device. :)try pf instead?Got any example of how to make ipnat work with pf? I thought that the two (ipnat and ipfilter) were intimately tied together?Rather than ipf.conf and ipnat.conf for ipf, you pop both the filtering rules and the translation rules into pf.conf, e.g., /usr/share/examples/pf/faq-example1 has some nat and rdr rules. (Really, just look at pf.conf(5))
Ah, OK, looks reasonably straightforward.I know that I have to remove 'pseudo-device ipfilter' if I want to add 'pseudo-device pf'. What about any of the following? Are they all OK to leave in, or do they need to be removed, too?
pseudo-device bpfilter
options PFIL_HOOKS
options IPFILTER_LOOKUP
options IPFILTER_LOG
Thanks.
----------------------------------------------------------------------
| Paul Goyette | PGP DSS Key fingerprint: | E-mail addresses: |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul%whooppee.com@localhost |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette%juniper.net@localhost |
----------------------------------------------------------------------