From nobody Thu Mar 28 14:16:52 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id EA623DC0305 for ; Fri, 24 Jan 2014 12:22:10 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id l18so2910846wgh.5 for ; Fri, 24 Jan 2014 04:22:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=b9zEY7oVKv4R3WuPQl2AvD8tHtiVa91RwSiRoXyJoOc=; b=bUQ61f9BIBOJ0zJDquZuSv/FeCoJ/jVvgDurCBjPsyL0/keUgfiKlN0KEZirxNhmnV FBgs4pPH3DfBseTAAoZH2L/gqjhQ1gmqAP8qB3MtQOH1vdZQbcqaKePxi0m4QcSLX0aF 7xLfKDDqG1nW5CIq1IsAGVF16U2k8rbz8XhpjacS6fKfMyxYXtn0XnaLlZJeMNAUIi9q +c+Si4tH0IarNLeV5qhTmgZSkupkFgHQ85YDr3hUrFQLE2TUS3+qEppcjVYPu24Euayl lTRPgSB7ms9fYzg5Q9uI+2rhniFIVucx/nj31rpK0DqwCCVq1NMlvM/VfeIzhAC2wsbz aZiA== X-Gm-Message-State: ALoCoQmoWSR6N5EJd8sfKGT2SfD7p48Xcba2UzzJEC7YHcRO8Ub1KbOlm0cWhINivRg/dFe93F50 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 X-Received: by 10.194.78.16 with SMTP id x16mr62465wjw.86.1390566126889; Fri, 24 Jan 2014 04:22:06 -0800 (PST) Received: by 10.180.74.142 with HTTP; Fri, 24 Jan 2014 04:22:06 -0800 (PST) Date: Fri, 24 Jan 2014 06:22:06 -0600 Message-ID: Subject: [alpine-devel] FreeBSD ipfw added to alpine edge From: William Pitcock To: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=ISO-8859-1 Hello, I have committed FreeBSD's ipfw to Alpine edge as an alternative to iptables. We (my employer) have been experimenting with this for the past few weeks internally. There's a few rough spots that could use cleaning, but all the core functionality is working fine. An init script to actually load the ipfw module and pull in a ruleset would be nice, but, it's still very usable the way it is right now. ** Examples ** Here's how you can use it, assuming you are running edge: # apk add ipfw # modprobe ipfw_mod # ipfw -a list 65535 allow ip from any to any Say you want to add a rule, like blocking chargen requests: # ipfw add 1 deny udp from any to me dst-port 19 00001 deny udp from any to me dst-port 19 Now you can check how many packets match each rule: # ipfw -a list 00001 0 0 deny udp from any to me dst-port 19 65535 24093 5960093 allow ip from any to any More examples are available here: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html QoS using dummynet is available and supported, too. So you can create pipes and use them and everything will be happy. ** What is not presently implemented ** IPFW DIVERT is not presently implemented. We will probably implement DIVERT soon, but, many packages won't be able to use it, as the checks are usually hardcoded to FreeBSD. This will require patching. NAT support is also not presently implemented. Again, just isn't really part of our goals at ye olde $employer. Patches would be accepted of course... it's just a matter of cleaning up DIVERT support and packaging FreeBSD's natd. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---