Mail archive
alpine-devel

[alpine-devel] FreeBSD ipfw added to alpine edge

From: William Pitcock <nenolod_at_dereferenced.org>
Date: Fri, 24 Jan 2014 06:22:06 -0600

Hello,

I have committed FreeBSD's ipfw to Alpine edge as an alternative to
iptables. We (my employer) have been experimenting with this for the
past few weeks internally.

There's a few rough spots that could use cleaning, but all the core
functionality is working fine. An init script to actually load the
ipfw module and pull in a ruleset would be nice, but, it's still very
usable the way it is right now.

** Examples **

Here's how you can use it, assuming you are running edge:

# apk add ipfw
# modprobe ipfw_mod
# ipfw -a list
65535 allow ip from any to any

Say you want to add a rule, like blocking chargen requests:

# ipfw add 1 deny udp from any to me dst-port 19
00001 deny udp from any to me dst-port 19

Now you can check how many packets match each rule:

# ipfw -a list
00001 0 0 deny udp from any to me dst-port 19
65535 24093 5960093 allow ip from any to any

More examples are available here:
https://www.freebsd.org/doc/handbook/firewalls-ipfw.html

QoS using dummynet is available and supported, too. So you can create
pipes and use them and everything will be happy.

** What is not presently implemented **

IPFW DIVERT is not presently implemented. We will probably implement
DIVERT soon, but, many packages won't be able to use it, as the checks
are usually hardcoded to FreeBSD. This will require patching.

NAT support is also not presently implemented. Again, just isn't
really part of our goals at ye olde $employer. Patches would be
accepted of course... it's just a matter of cleaning up DIVERT support
and packaging FreeBSD's natd.

William


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri Jan 24 2014 - 06:22:06 GMT