Date: Sat, 27 Jan 2001 21:46:39 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-stable@freebsd.org Subject: Re: IPFILTER 3.4.16 and FreeBSD-4.2 Message-ID: <20010127214639.S253@speedy.gsinet> In-Reply-To: <3A72DEA1.A31EC401@webcraft99.com>; from afu@webcraft99.com on Sat, Jan 27, 2001 at 10:43:45PM %2B0800 References: <3A72DEA1.A31EC401@webcraft99.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 27, 2001 at 22:43 +0800, Feisal Umar wrote:
>
> Are the startup scripts for FreeBSD-4.2 broken for
> IPFILTER/IPNAT support?
No.
> I have a gateway machine configured with IPFILTER/IPNAT via the
> rc.conf with the following entries:
> ipfilter_enable="YES"
> ipfilter_flags=""
> ipnat_enable="YES"
> ipmon_enable="YES"
That's OK. And if you use the /etc/{ipf,ipnat}.rules filenames
for your configuration -- these already are the defaults and work
OOTB.
> Hosts behind the GATEWAY can't traverse to outside via the NAT
> after the GATEWAY is rebooted with a new Kernel Build
> (yesterday). I had to manually specify "ipnat -CF -f
> /etc/ipnat.rules" before everything works as normal.
You don't use modules for your NIFs by chance? If so, have a
look at the conf/22859 PR. A simple 'ipf -y' in your
ppp.link{up,down} or late in rc.network should do. As well as
you could make all the interfaces be there in time with some
magic. But I would prefer to compile all essential NIC drivers
into the kernel.
> Ipmon behaviour has also changed, ie nothing is being passed to
> syslog except an entry saying ipmon was started. I can't find
> anything is the system logs to suggest anything is amiss.
Dumb question: What exactly do you expect to find in the logs?
Why are you scared by the absense of logged events? :) And then:
Does your 'ipf -V' output allow logging? Do you have logging
rules? Do they match?
And while you're admitting to use a different ipfilter version:
Where is it installed to? dougb tried to improve the rc scripts
lately (you surely noticed while controling mergemaster(8)) to
use pathnames and consistent output style.
One basic thing to keep in mind when hunting bugs down: Don't
look at your config files only -- these are just your intensions,
they're easily misspelled and human readers tend to see what they
_want_ to see ("I wrote 'blah', of course it reads 'blah'" when
it actually reads 'blubb'). Query the system for status -- these
are the facts! Look at the 'ipf -V', 'ipfstat -io -n', and
'ipnat -l' outputs as well as the 'which ipf ipfstat ipnat ipmon'
output. It must be something simple. When in doubt put 'set -x'
and 'set +x' around the ipfilter section in rc.network.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010127214639.S253>