Date: Sun, 28 Jan 2001 13:23:08 +0800 From: Feisal Umar <afu@webcraft99.com> To: Gerhard Sittig <Gerhard.Sittig@gmx.net> Cc: freebsd-stable@freebsd.org Subject: Re: IPFILTER 3.4.16 and FreeBSD-4.2 Message-ID: <3A73ACBC.FEBE8FCF@webcraft99.com> References: <3A72DEA1.A31EC401@webcraft99.com> <20010127214639.S253@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
Gerhard
Thanks for your extensive guide. It was indeed something simple.
Disgusting unthorough, unlike dougb, I didnt synchronise my custom rc
files for services that requires the firewall/ipfilter. One such script
still was calling my old "initialise the firewall" script which I have
deleted.
I do concur now the rc scripts FreeBSD-4.2 is NOT broken. Apologies.
Thank you.
Gerhard Sittig wrote:
>
> On Sat, Jan 27, 2001 at 22:43 +0800, Feisal Umar wrote:
> >
> > Are the startup scripts for FreeBSD-4.2 broken for
> > IPFILTER/IPNAT support?
>
> No.
>
> > I have a gateway machine configured with IPFILTER/IPNAT via the
> > rc.conf with the following entries:
> > ipfilter_enable="YES"
> > ipfilter_flags=""
> > ipnat_enable="YES"
> > ipmon_enable="YES"
>
> That's OK. And if you use the /etc/{ipf,ipnat}.rules filenames
> for your configuration -- these already are the defaults and work
> OOTB.
>
> > Hosts behind the GATEWAY can't traverse to outside via the NAT
> > after the GATEWAY is rebooted with a new Kernel Build
> > (yesterday). I had to manually specify "ipnat -CF -f
> > /etc/ipnat.rules" before everything works as normal.
>
> You don't use modules for your NIFs by chance? If so, have a
> look at the conf/22859 PR. A simple 'ipf -y' in your
> ppp.link{up,down} or late in rc.network should do. As well as
> you could make all the interfaces be there in time with some
> magic. But I would prefer to compile all essential NIC drivers
> into the kernel.
>
> > Ipmon behaviour has also changed, ie nothing is being passed to
> > syslog except an entry saying ipmon was started. I can't find
> > anything is the system logs to suggest anything is amiss.
>
> Dumb question: What exactly do you expect to find in the logs?
> Why are you scared by the absense of logged events? :) And then:
> Does your 'ipf -V' output allow logging? Do you have logging
> rules? Do they match?
>
> And while you're admitting to use a different ipfilter version:
> Where is it installed to? dougb tried to improve the rc scripts
> lately (you surely noticed while controling mergemaster(8)) to
> use pathnames and consistent output style.
>
> One basic thing to keep in mind when hunting bugs down: Don't
> look at your config files only -- these are just your intensions,
> they're easily misspelled and human readers tend to see what they
> _want_ to see ("I wrote 'blah', of course it reads 'blah'" when
> it actually reads 'blubb'). Query the system for status -- these
> are the facts! Look at the 'ipf -V', 'ipfstat -io -n', and
> 'ipnat -l' outputs as well as the 'which ipf ipfstat ipnat ipmon'
> output. It must be something simple. When in doubt put 'set -x'
> and 'set +x' around the ipfilter section in rc.network.
>
> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
> Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
> --
> If you don't understand or are scared by any of the above
> ask your parents or an adult to help you.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
--
Feisal Umar
Webcraft Sdn Bhd - http://www.webcraft99.com
If you think the United States has stood still, who built the largest
shopping center in the world? -- Richard M. Nixon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A73ACBC.FEBE8FCF>