From owner-freebsd-questions Thu Aug 16 14:30:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id 0976D37B409 for ; Thu, 16 Aug 2001 14:30:45 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.244.107.155.Dial1.SanJose1.Level3.net [209.244.107.155]) by robin.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id OAA07633 for ; Thu, 16 Aug 2001 14:30:41 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7GLUdR06479 for freebsd-questions@FreeBSD.ORG; Thu, 16 Aug 2001 14:30:39 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 14:30:38 -0700 From: "Crist J. Clark" To: Simon Williams Subject: Re: LINT & IPFIREWALL options Message-ID: <20010816143038.J4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from freebsd@sis-domain.demon.co.uk on Thu, Aug 16, 2001 at 09:55:14PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Aug 16, 2001 at 09:55:14PM +0100, Simon Williams wrote: [snip] > After reading through the kernel customisation part of the handbook, I > copied the GENERIC file (in /usr/src/sys/i386/conf) to a file named > CUSTOM & started editing it. I removed support for all the hardware I > don't have, leaving in a couple of types of network card that I may use > later on. I also saw IPFIREWALL & friends in LINT, but not in CUSTOM, > so I added the following lines: As pointed out in the inline documentation of LINT, > options MROUTING This option is for multicast routing. Are you doing multicast? Probably not. > options IPFIREWALL > options IPFIREWALL_VERBOSE You want these two. Enables ipfw(8) in the kernel and logging from ipfw(8). > options IPFIREWALL_FORWARD You probably do not want this. You only need it if you will have 'fwd' rules in your firewall. > options IPFIREWALL_VERBOSE_LIMIT=100 I like to raise this a bit. > options IPV6FIREWALL > options IPV6FIREWALL_VERBOSE > options IPV6FIREWALL_VERBOSE_LIMIT=100 If you aren't using IPv6, don't add them. > options IPDIVERT This is if you have 'divert' rules in your firewall which are usually associated with doing NAT. Will you be doing NAT? > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK These are for IPFilter, ipf(5,8), not ipfw(8). More below. > options IPSTEALTH This is a good way to DoS yourself. If you don't know what it does, you don't need it. > Now when I booted this kernel, it recognised the network card, but a > ping returned "No route to host." It is more likely that your firewall is misconfigured and not a problem with the kernel per sae. > From reading some past posts from this list, I saw that IPFilter is > another (old?) firewall application. Does this mean those lines are for > ipfilter instead of ipfw? Yep. IPFilter is a third party firewall maintained outside of FreeBSD. It is included in the base distribution and is maintained within FreeBSD by the author. > Now that I have a working kernel & firewall, I just wanted to know why > LINT shows firewall options that aren't in GENERIC, yet firewalling > still works? Are you rebooting to start the firewall? The boot sequence will automagically load the ipfw(8) kernel module, /modules/ipfw.ko, at boot if firewalling is enabled according to rc.conf(5). > Also, this box will be doing firewalling/bandwidth > limiting/routeing (for an IP block) in about a weeks time; is there > anything I need to do to the kernel to support that or is it just ipfw > commands from here? A few more things to add. See dummynet(4). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message