Date: Thu, 26 May 2005 15:15:57 -0500 From: Billy Newsom <smartweb@leadhill.net> To: freebsd-stable@freebsd.org Cc: sergei <sergei@konst.donpac.ru> Subject: Re: 5-Stable (5.4) any ipnat changes? Message-ID: <42962E7D.6080609@leadhill.net> In-Reply-To: <007f01c561b0$ff758f40$cbc1a10a@Curs3> References: <007f01c561b0$ff758f40$cbc1a10a@Curs3>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------070802000707010808050705 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit sergei wrote: > I have the same problem: > > After I cvsuped my system from 5.3 to 5.4, ipfilter (compiled in the my > custom kernel) & ipnat not start automatically. If I do > "/etc/rc.d/ipfilter start && /etc/rc.d/ipnat start" manually - all works > fine... Lines "ipfilner_enable=YES" and "ipnat_enable=YES" present in > the /etc/rc.conf. > > Okay, I'm going to dig up someone who might be responsible or might be able to fix it. Two strikes while doing the same upgrade... While I'm thinking about it, would you see if it happens on the next reboot? I haven't tried, because my system is a firewall that I need to keep up most of the time (I'm behind it right now), but I will definitely see if it happens again soon. I am going to check some cvs checkins in the last three months or so and see if I can track down a change. As for the custom kernel, I wonder if we both need to post the details of our custom kernel to this list for others to see? I wonder if the problem is only with certain kernel switches. I am attaching my kernel (with no comments) to this email. Let me know if it's easier to read with the comments in it, because a lot of the generic kernel fluff has been removed for sake of speed. I removed them with: cat mykernel | sed -e 's;#.*;;' -e '/^[ ]*$/d' >mykernel.1 Billy > > > ~>-----Original Message----- > ~>From: owner-freebsd-stable@freebsd.org > ~>[mailto:owner-freebsd-stable@freebsd.org] On Behalf Of Billy Newsom > ~>Sent: Thursday, May 26, 2005 1:54 AM > ~>To: freebsd-stable@freebsd.org > ~>Subject: 5-Stable (5.4) any ipnat changes? > ~> > ~> > ~>Is there some reason why ipnat wouldn't automatically startup? > ~> > ~>I just upgraded from a 5-stable in February to a 5-stable in > ~>May, so I > ~>could essentially get 5.4 on this firewall machine. I simultaneously > ~>was upgrading some ports, etc., but nothing too severe. When > ~>I rebooted > ~>the machine, everything looked fine. No problems whatsoever. > ~> This was > ~>the first time that I compiled multiple kernels (normally I > ~>just compile > ~>a custom and not the generic), but that is not related. > ~> > ~>What happened is that I had a strange problem receiving mail > ~>on the mail > ~>server. It took me quite a while to finally track down the > ~>problem. I > ~>ended up running a packet sniffer and still couldn't figure it out. > ~>Well, it turned out that the filters in ipnat weren't > ~>installed, and so > ~>all of the NAT routing wasn't happening as normal. > ~> > ~>I have really never seen this server boot without NAT -- it's > ~>basically > ~>the same setup I've used for years and it never dawned on me > ~>what would > ~>happen if ipnat failed to run its filters. Meanwhile, > ~>IPFilter was busy > ~>running the firewall like normal. > ~> > ~>I have looked at the logs in detail and I can't find anything > ~>that would > ~>have turned off ipnat or caused it not to run its filter. > ~>Nor, on the > ~>otherhand, do I see where ipnat logs anything, anyway. > ~> > ~>Where would I look to track this down? Is it possible that > ~>something in > ~> stable messed this up? > ~> > ~> > ~># ls -l /etc/ipnat.rules > ~>-rw-r--r-- 1 root wheel 437 Mar 14 14:18 /etc/ipnat.rules > ~> > ~>Notice no changes since March in that file. > ~> > ~># cat /etc/rc.conf | grep ip > ~>ipfilter_enable="YES" # Set to YES to enable ipfilter > ~>functionality > ~>ipfilter_program="/sbin/ipf" # where the ipfilter program lives > ~>ipfilter_rules="/etc/ipf.rules" # rules definition file for > ~>ipfilter, see > ~> # > ~>/usr/src/contrib/ipfilter/rules for > ~>examples > ~>ipfilter_flags="" # additional flags for ipfilter > ~>ipnat_enable="YES" # Set to YES to enable ipnat > ~>functionality > ~>ipnat_program="/sbin/ipnat" # where the ipnat program lives > ~>ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat > ~>ipnat_flags="" # additional flags for ipnat > ~>ipmon_enable="YES" # Set to YES for ipmon; > ~>needs ipfilter > ~>or ipnat > ~>ipmon_program="/sbin/ipmon" # where the ipfilter > ~>monitor program lives > ~>ipmon_flags="-Ds" # typically "-Ds" or "-D > ~>/var/log/ipflog" > ~>ipfs_enable="YES" # Set to YES to enable saving > ~>and restoring > ~>ipfs_program="/sbin/ipfs" # where the ipfs program lives > ~>ipfs_flags="" # additional flags for ipfs > ~> > ~>Thanks. > ~>Billy --------------070802000707010808050705 Content-Type: text/plain; name="smp3b.text" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="smp3b.text" machine i386 cpu I686_CPU ident BILLYSMP3 hints "GENERIC.hints" options SMP options MSGMNB=8192 options MSGSSZ=64 options MSGTQL=2048 options MAXCONS=6 options IPFILTER options IPFILTER_LOG options SCHED_4BSD options INET options FFS options SOFTUPDATES options UFS_ACL options UFS_DIRHASH options NFSCLIENT options NFSSERVER options PROCFS options PSEUDOFS options GEOM_GPT options COMPAT_43 options COMPAT_FREEBSD4 options SCSI_DELAY=4000 options KTRACE options SYSVSHM options SYSVMSG options SYSVSEM options _KPOSIX_PRIORITY_SCHEDULING options KBD_INSTALL_CDEV options ADAPTIVE_GIANT device apic device isa device pci device fdc device ata device atadisk device atapicd options ATA_STATIC_ID device ahc device sym device aha device aic device scbus device ch device da device sa device cd device pass device ses device atkbdc device atkbd device psm device vga device sc device npx device apm device sio device ppc device ppbus device lpt device ppi device miibus device fxp device nge device pcn device re device rl device ste device tx device wb device ed device ep device lnc device loop device mem device io device random device ether device tun device pty device gif device bpf device uhci device ohci device usb device ugen device uhid device ukbd device ulpt device umass --------------070802000707010808050705--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42962E7D.6080609>