Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 03 Feb 2005 21:02:21 +0100
From:      Roberto Nunnari <roberto.nunnari@supsi.ch>
To:        Duane Winner <dwinner-lists@att.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: need ipfw clarification
Message-ID:  <4202834D.7030000@supsi.ch>
In-Reply-To: <42028032.2020701@att.net>
References:  <42028032.2020701@att.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Duane.

I had the same problem.. With 5.2.1 I had working forward rules
and that were broke with 5.3

after some fiddling I managed to have that work again.. just
add them to your kernel:

options         IPFIREWALL
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_FORWARD

if you don't add them to your kernel, forwarding in ipfw will
be disabled.

Ciao.


Duane Winner wrote:
> Hello,
> 
> I noticed that after enabling firewall in my kernel (5.3-release), my 
> dmesg now gives me this:
> 
> ipfw2 initialized, divert disabled, rule-based forwarding disabled, 
> default to accept, logging limited to 5 packets/entry by default
> 
> 
> On 5.2.1, I used to get this:
> 
> ipfw2 initialized, divert disabled, rule-based forwarding enabled, 
> default to accept, logging disabled
> 
> If both cases, I am adding this to my KERNEL config:
> 
> options         IPFIREWALL
> options         IPFIREWALL_DEFAULT_TO_ACCEPT
> 
> 
> It seems that the major difference between 5.2.1 and 5.3 is that now 
> rule-based forwarding is disabled.
> 
> Is this correct? And what exactly is rule-based forwarding? I'm guessing 
> that it doesn't really apply to my situation, as in these cases, I am 
> using IPFW to create a deny all inbound to my laptop when I'm on the 
> road. But I just want to make sure.
> 
> Thanks,
> DW
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


-- 
               Roberto Nunnari -software engineer-
                mailto:roberto.nunnari@supsi.ch
  Scuola Universitaria Professionale della Svizzera Italiana
              Dipartimento Tecnologie Innovative
                   http://www.dti.supsi.ch
  SUPSI-DTI
  Via Cantonale                        tel: +41-91-6108561
  6928 Manno                 """       fax: +41-91-6108570
  Switzerland               (o o)
=======================oOO==(_)==OOo========================

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4202834D.7030000>