Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Apr 2011 15:36:40 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        rondzierwa@comcast.net
Cc:        freebsd-net@freebsd.org, hrs@freebsd.org
Subject:   Re: natd starting after firewall rules are loaded
Message-ID:  <20110417150456.J35056@sola.nimnet.asn.au>
In-Reply-To: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net>
References:  <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 16 Apr 2011, rondzierwa@comcast.net wrote:

 > After the firewall rules are loaded, the rc script then loads natd, 
 > Once the system is up, i can ipfw list and the divert command is, 
 > in fact, not there, but by this time natd is running. If I run the rc.firewall 
 > script interactively, it completes successfully and the divert rule 
 > is in the list, and everyone is happy again. 

There are several outstanding PRs about this and related issues; copying 
hrs@ who grabbed these PRs a while ago.  The quick fix is to add

ipdivert_load="YES"

to /boot/loader.conf so it's there before ipfw & natd start.  You still 
need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf

 > In 4.9 there used to be a rc.network script that started natd before 
 > it loaded the firewall rules. I do not see it in 8.2 anymore, instead 
 > it looks like rc simply runs the scripts in rc.d alphabetically, so natd 
 > comes after ipfw. 

Not alphabetically but according to rcorder(8).  /etc/rc.d/natd has 
keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but 
as you've seen, ipfw's attempt to install divert rule(s) fails for want 
of ipdivert.ko - which /etc/rc.d/natd does load, but too late.

 > I can't believe i'm the only one using ipfw and natd with 8.2, so it 
 > seems to me that i just don't know the secret handshake that will 
 > make it work. 

In 4.x you had to build ipfw into kernel; lots of changes since :)

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110417150456.J35056>