From owner-freebsd-stable Mon Jan 22 9:52:22 2001 Delivered-To: freebsd-stable@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id 264A937B404 for ; Mon, 22 Jan 2001 09:51:50 -0800 (PST) Received: (qmail 66727 invoked from network); 22 Jan 2001 17:50:39 -0000 Received: from athena.faerun.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 22 Jan 2001 17:50:39 -0000 Message-Id: <4.2.2.20010122124113.00bdcf00@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 22 Jan 2001 12:51:50 -0500 To: trini0 From: Carroll Kong Subject: Re: Ipfilter version in stable... Cc: FreeBSD Stable In-Reply-To: <3A6C6572.DF137C54@optonline.net> References: <4.2.2.20010122101435.00bdaf00@netmail.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 11:53 AM 1/22/01 -0500, trini0 wrote: >Very interesting. I came across that ftp problem, and was considering upping >to 3.4.16, but I didn't want to go through the rebuilding of ipfilter >everytime >I upgrade FBSD. I quickly glanced at the man page for loader.conf and it >seems >that you can have modules & flags set in the file. So I just got to check on >the rest of ipfilter, and see if ipnat, and ipmon can be modules. So is >performance good using the module route instead of putting it in the kernel?? > >Carroll Kong wrote: > > > I had the same thoughts as you exactly, however, there is a better > > way. Seems like FreeBSD is more "modular" now, and IPfilter benefits from > > this as well. > > > > Unpack the src, make freebsd4, make minstall; Add > > > > ipf_load="YES" > > > > to /boot/loader.conf. Make sure IPFILTER is no longer in the kernel. (or > > else it will load up twice). This seems to expedite the upgrade procedure > > significantly. > > > > -Carroll Kong Fairly certain you only need to load the IPFilter module and calls like ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ipmon_program="/usr/sbin/ipmon" all work fine. Maybe I am getting lucky? I have not really stressed the particular system I am using it for. I would imagine modules would incur a slight run time penalty, but I doubt it is anything significant. Also, it seems easier for upgrades. I tended to get nasty kernel src mismatches and what not when I tried to compile ipfilter into the kernel. Maybe it was just me. And with the rate that IPFilter gets updated, seems nice to know that this method of upgrading works nearly 100% of the time with very simple compile commands. Oh no... I just overlooked my commands. It should be unpack the src, make freebsd4, make install-bsd. Terribly sorry for the misinformation! -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message