Date: Thu, 16 Aug 2001 14:30:38 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Simon Williams <freebsd-questions@FreeBSD.ORG> Subject: Re: LINT & IPFIREWALL options Message-ID: <20010816143038.J4232@blossom.cjclark.org> In-Reply-To: <Y%2BVMc%2BTyMDf7Ewcq@sis-domain.demon.co.uk>; from freebsd@sis-domain.demon.co.uk on Thu, Aug 16, 2001 at 09:55:14PM %2B0100 References: <Y%2BVMc%2BTyMDf7Ewcq@sis-domain.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 16, 2001 at 09:55:14PM +0100, Simon Williams wrote: [snip] > After reading through the kernel customisation part of the handbook, I > copied the GENERIC file (in /usr/src/sys/i386/conf) to a file named > CUSTOM & started editing it. I removed support for all the hardware I > don't have, leaving in a couple of types of network card that I may use > later on. I also saw IPFIREWALL & friends in LINT, but not in CUSTOM, > so I added the following lines: As pointed out in the inline documentation of LINT, > options MROUTING This option is for multicast routing. Are you doing multicast? Probably not. > options IPFIREWALL > options IPFIREWALL_VERBOSE You want these two. Enables ipfw(8) in the kernel and logging from ipfw(8). > options IPFIREWALL_FORWARD You probably do not want this. You only need it if you will have 'fwd' rules in your firewall. > options IPFIREWALL_VERBOSE_LIMIT=100 I like to raise this a bit. > options IPV6FIREWALL > options IPV6FIREWALL_VERBOSE > options IPV6FIREWALL_VERBOSE_LIMIT=100 If you aren't using IPv6, don't add them. > options IPDIVERT This is if you have 'divert' rules in your firewall which are usually associated with doing NAT. Will you be doing NAT? > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK These are for IPFilter, ipf(5,8), not ipfw(8). More below. > options IPSTEALTH This is a good way to DoS yourself. If you don't know what it does, you don't need it. > Now when I booted this kernel, it recognised the network card, but a > ping returned "No route to host." It is more likely that your firewall is misconfigured and not a problem with the kernel per sae. > From reading some past posts from this list, I saw that IPFilter is > another (old?) firewall application. Does this mean those lines are for > ipfilter instead of ipfw? Yep. IPFilter is a third party firewall maintained outside of FreeBSD. It is included in the base distribution and is maintained within FreeBSD by the author. > Now that I have a working kernel & firewall, I just wanted to know why > LINT shows firewall options that aren't in GENERIC, yet firewalling > still works? Are you rebooting to start the firewall? The boot sequence will automagically load the ipfw(8) kernel module, /modules/ipfw.ko, at boot if firewalling is enabled according to rc.conf(5). > Also, this box will be doing firewalling/bandwidth > limiting/routeing (for an IP block) in about a weeks time; is there > anything I need to do to the kernel to support that or is it just ipfw > commands from here? A few more things to add. See dummynet(4). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816143038.J4232>