OPNsense Forum
English Forums => General Discussion => Topic started by: FrenchFries on October 02, 2017, 10:15:59 pm
-
Dear all,
I would lile to review rules the way they are written, in plain pf format.
But, I am quite surprised to notice that
/usr/local/etc/ipfw.rules
is written in ipfw (not pf)
So what is the relation of this /usr/local/etc/ipfw.rules with the firewalling script?
Kind regards,
-
Got it, read on the forum:
OPNsense uses pf as main firewall, ipfw is only used in our system for the captive portal and traffic shaper.
A little bit complicated.
-
This is due to limitations in both firewalls. In modern FreeBSD pf does have not an enabled-by-default shaper system anymore. It is scheduled for complete removal in an upcoming FreeBSD version. The decision to remove this shaper support in 2015 was done for long-term stability of the project. We have never given it another thought.
The captive portal which came from m0n0wall through pfSense was always written in ipfw so it stayed that way.
The patching of pfSense allowed moving traffic from pf to ipfw to deal with some mixed use cases more gracefully, but the code was known to be unreliable and / or prone to hard crashes. We removed this code in 2015 as well.
In 2016, people began to realise that the transparent proxy (pf) does not work in tandem with the captive portal (ipfw) and traffic shaping (ipfw) does not work with policy routing (pf) so we wrote the shared forwarding additions to the FreeBSD kernel and added more possibilities in the captive portal to configure transparent proxies.
Since then, there have been no fundamental issues with the design, although it's agreeable that the whole setup is rather complicated. :)
Cheers,
Franco