From owner-freebsd-stable Sat Aug 31 20:19:56 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64FE337B400 for ; Sat, 31 Aug 2002 20:19:51 -0700 (PDT) Received: from TheWorld.com (pcls2.std.com [199.172.62.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id B972943E65 for ; Sat, 31 Aug 2002 20:19:50 -0700 (PDT) (envelope-from kwc@shell.TheWorld.com) Received: from shell.TheWorld.com (mholmes@shell01.TheWorld.com [199.172.62.241]) by TheWorld.com (8.9.3/8.9.3) with ESMTP id XAA13090 for ; Sat, 31 Aug 2002 23:19:50 -0400 Received: (from kwc@localhost) by shell.TheWorld.com (8.9.3/8.9.3) id XAA115050408 for freebsd-stable@freebsd.org; Sat, 31 Aug 2002 23:19:49 -0400 (EDT) Date: Sat, 31 Aug 2002 23:19:49 -0400 (EDT) From: Kenneth W Cochran Message-Id: <200209010319.XAA115050408@shell.TheWorld.com> To: freebsd-stable@freebsd.org Subject: Re: IPFW2 option in -stable kernel config Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG sorry... botched -cc >Date: Sat, 31 Aug 2002 12:15:33 -0500 >To: Kenneth W Cochran >From: "Jeffrey J. Mountin" >Subject: Re: IPFW2 option in -stable kernel config >Cc: freebsd-stable@FreeBSD.ORG, luigi@FreeBSD.ORG > >At 09:12 AM 8/31/02 -0400, Kenneth W Cochran wrote: >>In reading the notes in the cvs-all & stable lists regarding >>the IPFW2, it isn't clear (well to me :) how to properly >>specify the new code. As per the announcement(s), there is, >>of course, no explanation in LINT either. > >Not yet. However, the man page has been updated (8/16 & 8/20). So I noticed... >>Are IPFIREWALL & IPFW2 mutually exclusive? > >No, I thought the 7/23 commit message was clear on how to use the new >functionality: > > + add "options IPFW2" (undocumented) to your kernel config file; > > + compile and install sbin/ipfw and lib/libalias with > make -DIPFW2 No mention was made of any other firewall options (i.e. if there was no previous firewall configured) in the kernel config so I'd been wondering... >If you look at the source, it's clear why you *must* have both. Perhaps >the commit should have read: > > + add "options IPFW2" (undocumented) to your kernel config file; > (in addition to IPFIREWALL); Exactly what I was looking for; thanks! >>Does IPFW2 "depend on" specification of IPFIREWALL? > >Yes. As above, thanks :) >>Do options like IPDIVERT, IPFIREWALL_VERBOSE >>& other knobs apply to IPFIREWALL as well? > >Yes ^ 3+n Oops, guess I should have said IPFW2 instead of IPFIREWALL, but I'll take that as a yes as well? :) >>In looking over the kernel source(s), it appears that IPFW2 >>might "trump" IPFIREWALL & therefore IPFIREWALL becomes a >>"don't care" if IPFW2 is specified. Is this correct? > >No. UTSL ... going back to UTS/RTFS... :) >In the process of redoing one system for testing I installed 4.6R using a >faster system to build world and (after updating other systems) while it >was NFS mounted recompiled ipfw and libalias: > >cd src/sbin/ipfw >make clean >make -DIPFW2 depend (no-op really, just habit) >make -DIPFW2 >make -DIPFW2 install (this was covered by "make installworld" > >And similarly for src/lib/libalias. You can add IPFW2=true to make.conf as >well and then only the kernel need be updated: > >options IPFIREWALL >options IPDIVERT >options IPFIREWALL_VERBOSE >options IPFW2 <-- added Does this mean that I can put IPFW2=TRUE in /etc/make.conf and {build,install}world will properly build the new userland code without "manually" doing them by -DIPFW2 as above? (I think so, but I would like to hear from someone who knows this code better than I (aka The Word From On High :)). [...snip...] >cheers! > >Jeff Mountin - jeff@mountin.net >Systems/Network Administrator >FreeBSD - the power to serve Thanks! I think this is/was the info I was looking for. -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message