From owner-freebsd-questions@FreeBSD.ORG Mon Nov 8 19:50:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79C9E16A4CE for ; Mon, 8 Nov 2004 19:50:33 +0000 (GMT) Received: from gromit.dlib.vt.edu (gromit.dlib.vt.edu [128.173.49.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEDD443D46 for ; Mon, 8 Nov 2004 19:50:32 +0000 (GMT) (envelope-from paul@gromit.dlib.vt.edu) Received: from zappa.Chelsea-Ct.Org (pool-151-199-90-129.roa.east.verizon.net [151.199.90.129]) by gromit.dlib.vt.edu (8.13.1/8.13.1) with ESMTP id iA8JoUM5073356 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Nov 2004 14:50:32 -0500 (EST) (envelope-from paul@gromit.dlib.vt.edu) Received: from zappa.Chelsea-Ct.Org (localhost.Chelsea-Ct.Org [127.0.0.1]) by zappa.Chelsea-Ct.Org (8.13.1/8.13.1) with ESMTP id iA8JoO33071973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Nov 2004 14:50:25 -0500 (EST) (envelope-from paul@gromit.dlib.vt.edu) Received: (from paul@localhost) by zappa.Chelsea-Ct.Org (8.13.1/8.13.1/Submit) id iA8JoNnB071972; Mon, 8 Nov 2004 14:50:23 -0500 (EST) (envelope-from paul@gromit.dlib.vt.edu) X-Authentication-Warning: zappa.Chelsea-Ct.Org: paul set sender to paul@gromit.dlib.vt.edu using -f From: Paul Mather To: freebsd-questions@freebsd.org In-Reply-To: <20041108190327.B76DD16A4D4@hub.freebsd.org> References: <20041108190327.B76DD16A4D4@hub.freebsd.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit Message-Id: <1099943422.71383.39.camel@zappa.Chelsea-Ct.Org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 08 Nov 2004 14:50:23 -0500 cc: dave Subject: Re: ipfilter loading on 5.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 19:50:33 -0000 On Mon, 8 Nov 2004 12:01:41 -0500, "dave" writes: > Hello, > I believe i am having a configuration error. I've got a new 5.3 > box to > which i'm atempting to get ipfilter going. I read the updated handbook > and > have added: > > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipmon_enable="YES" > ipmon_flags="-Dsvn" > > to my rc.conf file. When i try to manually load up my rules file with: > ipf -FA -f /etc/ipf.rules > i am getting an error "can not open no such device" > I have not compiled anything for ipfilter in to the kernel as i had > done > previously i understood from the handbook that ipf was capable of > being > dynamically loaded and the rc.conf line would suffice. I recently updated a system from 5.2.1 to 5.3 and had problems with ipfilter (dynamically loading it, as you are above). In my case, I noticed this during boot, when ipfilter was being activated: link_elf: symbol in6_cksum undefined The net effect was that the kernel module would not load, due to the unresolved symbol. In my case, I was using a custom kernel that lacked "options INET6". Re-building my kernel with that option added (i.e., with IPv6 support enabled) fixed the problem and the ipfilter kernel module now works. I'm guessing there's some kind of hidden dependency on IPv6 in 5.3 as far as the ipfilter kernel module is concerned. (This didn't seem to be the case in 5.2.1, from what I remember.) Cheers, Paul. -- e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa