Re: Revisiting: ipfilter/ipnat problems on -current

[Patrick Welche <prlw1%cam.ac.uk@localhost>]

On Sun, Sep 07, 2008 at 03:51:06PM -0700, Paul Goyette wrote:
> On Sun, 7 Sep 2008, Patrick Welche wrote:
>
>> On Sun, Sep 07, 2008 at 08:29:04AM -0700, Paul Goyette wrote:
>>>>> The obvious solution might be "turn off
>>>>> ipfilter/ipnat" but I need ipnat - I don't have enough fixed IP
>>>>> addresses for everything - and I'm not willing to go out and buy a
>>>>> stand-alone device.  :)
>>>>
>>>> try pf instead?
>>>
>>> Got any example of how to make ipnat work with pf?  I thought that the
>>> two (ipnat and ipfilter) were intimately tied together?
>>
>> Rather than ipf.conf and ipnat.conf for ipf, you pop both the filtering
>> rules and the translation rules into pf.conf,
>> e.g., /usr/share/examples/pf/faq-example1 has some nat and rdr rules.
>> (Really, just look at pf.conf(5))
>
> Ah, OK, looks reasonably straightforward.
>
> I know that I have to remove 'pseudo-device ipfilter' if I want to add  
> 'pseudo-device pf'.  What about any of the following?  Are they all OK  
> to leave in, or do they need to be removed, too?

You need these:
>       pseudo-device bpfilter
>       options       PFIL_HOOKS

You don't need these:
>       options       IPFILTER_LOOKUP
>       options       IPFILTER_LOG


Good luck,

Patrick