From owner-freebsd-stable Sat Jan 27 21:18:53 2001 Delivered-To: freebsd-stable@freebsd.org Received: from arianna.webcraft99.alt (unknown [202.151.192.90]) by hub.freebsd.org (Postfix) with ESMTP id 8086C37B400 for ; Sat, 27 Jan 2001 21:18:33 -0800 (PST) Received: from jenna.webcraft99.alt (jenna.webcraft99.alt [192.168.1.22]) by arianna.webcraft99.alt (AriAnnA) with ESMTP id 76BF17C12; Sun, 28 Jan 2001 13:43:30 +0800 (MYT) Received: from webcraft99.com (lexus.webcraft99.alt [192.168.1.31]) by jenna.webcraft99.alt (JEnnA) with ESMTP id 039AB3DB2; Sun, 28 Jan 2001 13:23:09 +0800 (MYT) Message-ID: <3A73ACBC.FEBE8FCF@webcraft99.com> Date: Sun, 28 Jan 2001 13:23:08 +0800 From: Feisal Umar Organization: Webcraft Sdn Bhd (http://www.webcraft99.com) X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: freebsd-stable@freebsd.org Subject: Re: IPFILTER 3.4.16 and FreeBSD-4.2 References: <3A72DEA1.A31EC401@webcraft99.com> <20010127214639.S253@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Gerhard Thanks for your extensive guide. It was indeed something simple. Disgusting unthorough, unlike dougb, I didnt synchronise my custom rc files for services that requires the firewall/ipfilter. One such script still was calling my old "initialise the firewall" script which I have deleted. I do concur now the rc scripts FreeBSD-4.2 is NOT broken. Apologies. Thank you. Gerhard Sittig wrote: > > On Sat, Jan 27, 2001 at 22:43 +0800, Feisal Umar wrote: > > > > Are the startup scripts for FreeBSD-4.2 broken for > > IPFILTER/IPNAT support? > > No. > > > I have a gateway machine configured with IPFILTER/IPNAT via the > > rc.conf with the following entries: > > ipfilter_enable="YES" > > ipfilter_flags="" > > ipnat_enable="YES" > > ipmon_enable="YES" > > That's OK. And if you use the /etc/{ipf,ipnat}.rules filenames > for your configuration -- these already are the defaults and work > OOTB. > > > Hosts behind the GATEWAY can't traverse to outside via the NAT > > after the GATEWAY is rebooted with a new Kernel Build > > (yesterday). I had to manually specify "ipnat -CF -f > > /etc/ipnat.rules" before everything works as normal. > > You don't use modules for your NIFs by chance? If so, have a > look at the conf/22859 PR. A simple 'ipf -y' in your > ppp.link{up,down} or late in rc.network should do. As well as > you could make all the interfaces be there in time with some > magic. But I would prefer to compile all essential NIC drivers > into the kernel. > > > Ipmon behaviour has also changed, ie nothing is being passed to > > syslog except an entry saying ipmon was started. I can't find > > anything is the system logs to suggest anything is amiss. > > Dumb question: What exactly do you expect to find in the logs? > Why are you scared by the absense of logged events? :) And then: > Does your 'ipf -V' output allow logging? Do you have logging > rules? Do they match? > > And while you're admitting to use a different ipfilter version: > Where is it installed to? dougb tried to improve the rc scripts > lately (you surely noticed while controling mergemaster(8)) to > use pathnames and consistent output style. > > One basic thing to keep in mind when hunting bugs down: Don't > look at your config files only -- these are just your intensions, > they're easily misspelled and human readers tend to see what they > _want_ to see ("I wrote 'blah', of course it reads 'blah'" when > it actually reads 'blubb'). Query the system for status -- these > are the facts! Look at the 'ipf -V', 'ipfstat -io -n', and > 'ipnat -l' outputs as well as the 'which ipf ipfstat ipnat ipmon' > output. It must be something simple. When in doubt put 'set -x' > and 'set +x' around the ipfilter section in rc.network. > > virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 > Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net > -- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Feisal Umar Webcraft Sdn Bhd - http://www.webcraft99.com If you think the United States has stood still, who built the largest shopping center in the world? -- Richard M. Nixon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message