From owner-freebsd-questions Thu Aug 16 13:55:53 2001 Delivered-To: freebsd-questions@freebsd.org Received: from finch-post-11.mail.demon.net (finch-post-11.mail.demon.net [194.217.242.39]) by hub.freebsd.org (Postfix) with ESMTP id A7AFC37B40E for ; Thu, 16 Aug 2001 13:55:45 -0700 (PDT) (envelope-from freebsd@sis-domain.demon.co.uk) Received: from sis-domain.demon.co.uk ([194.222.148.82]) by finch-post-11.mail.demon.net with esmtp (Exim 2.12 #1) id 15XUB4-0008t3-0B for freebsd-questions@FreeBSD.ORG; Thu, 16 Aug 2001 20:55:43 +0000 Message-ID: Date: Thu, 16 Aug 2001 21:55:14 +0100 To: freebsd-questions@freebsd.org From: Simon Williams Reply-To: Simon Williams Subject: LINT & IPFIREWALL options MIME-Version: 1.0 Content-Type: text/plain;charset=us-ascii;format=flowed User-Agent: Turnpike/6.00-Beta-6-S () Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I've recently replaced my Linux installation with FreeBSD 4.3, as it has support for bandwidth limitation & I want to learn more about UNIX rather than Linux. When I installed it, I realised that the kernel was 3.3MB, so I thought about stripping out support for hardware I don't have & I remember a friend of mine telling me he had to re-compile the kernel to include firewall support. After reading through the kernel customisation part of the handbook, I copied the GENERIC file (in /usr/src/sys/i386/conf) to a file named CUSTOM & started editing it. I removed support for all the hardware I don't have, leaving in a couple of types of network card that I may use later on. I also saw IPFIREWALL & friends in LINT, but not in CUSTOM, so I added the following lines: options MROUTING options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=100 options IPV6FIREWALL options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options IPSTEALTH Now when I booted this kernel, it recognised the network card, but a ping returned "No route to host." Through trial & error I tracked the problem down to the above lines, so I removed the IPv6 firewall options & also this line (I don't use IPv6 on my network): options INET6 #IPv6 communications protocols Booting with this kernel showed the same results. When I removed MROUTING (As the error mentioned route & I'd added a ROUTE line, it seemed like the obvious culprit) the same thing happened. Removing all of the lines I've mentioned here works fine & I can still use ipfw (and it works). From reading some past posts from this list, I saw that IPFilter is another (old?) firewall application. Does this mean those lines are for ipfilter instead of ipfw? Now that I have a working kernel & firewall, I just wanted to know why LINT shows firewall options that aren't in GENERIC, yet firewalling still works? Also, this box will be doing firewalling/bandwidth limiting/routeing (for an IP block) in about a weeks time; is there anything I need to do to the kernel to support that or is it just ipfw commands from here? Please CC me in on replies, as my subscription request may not have gone through yet (haven't had a response back from Mr Domo). Thanks in advance for any help, -- Simon PGP: 0x099977D0 No, I didn't lose my mind; it was stolen by aliens. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message