Subject: Re: IPFilter & Bridges on NetBSD-CURRENT
To: Stefan Sonnenberg-Carstens <stefan.sonnenberg@online.de>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-users
Date: 09/21/2003 00:51:33
On Sat, Sep 20, 2003 at 12:37:37PM +0200, Stefan Sonnenberg-Carstens wrote:
> Hi list,
> I have some questions regarding the possibility to user IPFilter and the 
> bridge device.
> I've seen this should be possible with NetBSD-CURRENT.
> Here are my questions :
> 1. Is it straightforward to update a NetBSD-1.6.1 system to current ?

you can grab a current binary distrib from ftp://releng.netbsd.org/
and do an upgrade from systinst.
Otherwise there are docs about doing a manuel upgrade using binary sets,
or upgrading from sources on http://www.netbsd.org/

> 2. Would it be enough to upgrade kernel and /sbin ?

ipf isn't only in /sbin, unfortunably.
Another problem is that in current /sbin isn't statically linked any more,
so you'd also need /lib and /libexec. IMHO it's better to do a complete
upgrade.

> 3. How do rules look like ? If you have a bridge, it has two NIC 
> attached, it should need
>    two rules for each case, because a bridge doubles the possible 
> in/out directions ?

This I don't know, I've never used ipf over bridge yet.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--