[ENHANCEMENT] Add IPFW example in documentation.

[okalm]

Hi, I am using FreeBSD 13 with the recommended firewall IPWF and I wanted to try Bastille unfortunately the documentation shows only an example for PF . Although I am aware of PF being supported by FreeBSD IMO it would make sense to show an example for IPWF also . I understand FreeBSD or Bastille are not for the casual users but still it could help newcomers not comfortable with firewall settings and rules ... like me. Thanks .

[XJOJIX]

Take a close look at FreeBSD IHandBook IPFW section. You can get most of the information you need from it. It describes how you can use in-kernel NAT and ip_redirects(useful when your using ip alias) in IPFW.

[jdakhayman]

I ,too, am interested in using ipfw instead pf. I do realize that pf is "baked in" to the Bastille code and it isn't as simple as setting up ipfw, instead of pf, and off we go, and all the commands work as usual.

I do like using Bastille to do my redirects, and would like to avoid having to edit the ipfw rule set when I need to do a redirect. Of course folks will say "just use pf", but ipfw has its benefits, and I feel that it would be a meaningful addition to this tool. often, choice is a good thing in many instances.

As always, I wish I knew how to do this. Contributing to a project like this is something I have wanted to do, instead of only being an end user. But at this time, it is above me.

Is there any outlook that this is a possibility?

[XJOJIX]

@jdakhayman Well as I mentioned, you can use Bastille with IPFW. ( I'm using IPFW instead of PF in my server). Take a look at FreeBSD HandBook IPFW section.

[okalm]

@XJOJIX you do realize that your answers are equivalent to RTFM right? That's not really the kind of help people are asking for, but thank you for trying. Anyway I took a break with BastilleBSD so it's not really my concern right now but I respond for the sake of this question.
Good luck.

[XJOJIX]

@okalm you can take it as what ever you want, but all I'm saying is isn't it a common thing to read the doc first? you do realize you're asking about open source software right?

[okalm]

Wow really, are we doing this ? Look mate all I am saying is if you don't want to answer a question why are you even bother responding ? Literally nobody will be mad at you if you don't want to, a) it will avoid the empty answer b) you won't waste your time too . See everybody is happy, that 's all I am saying. Now I will stop here because I do not have time for this, and like I said before it's not helping at all.

[XJOJIX]

I'm even point the link to the section.

all right, your just "I asked give me answer" type of guy.

good luck getting the answer with that attitude.

[jdakhayman]

@jdakhayman Well as I mentioned, you can use Bastille with IPFW. ( I'm using IPFW instead of PF in my server). Take a look at FreeBSD HandBook IPFW section.

I have reviewed the FreeBSD documentation on ipfw. I see and understand (to some extent) how to setup a nat and how to setup port redirects. A question that I have still is when I use the "bastille rdr" cmd, it complains that pf is not setup. Making on the fly redirect changes are a great feature and would be "nice" to have with ifpw as well.

It appears that pf is hard coded, and that ipfw certainly is not supported at this time.

It maybe that the effort is not worth the time either.

[XJOJIX]

@jdakhayman you don't use rdr command.

you don't use bastille or any pf related commands. IPFW will take care of nat and redirecting.

[bmac2]

@cedwards this seems to not be a bastille code issue but at ipfw issue with how to use. agree??? IF yes I will close this one out as done.

[bmac2]

@okalm @XJOJIX upon consultation with @cedwards we will leave this open as a possible future project for bastille. As one of you said, this is not as simple as change out pf for ipfw and everything work. There will be a lot of changes to support ipfw rather than pf, along with a learning curve of our developers to learn ipfw. So this is on the roadmap but other features like more ipv6 support, etc are higher on the list at this time.

[okalm]

Quick heads up, bastille actually works out of the box with IPFW and VNET jails. The only condition is to enable IPFW on host(of course) AND in jail. It works with configured profiles, so it's quick to deploy and easy setup.