Date: Mon, 17 May 2004 17:10:44 +0200 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org, Barbish3@adelphia.net Cc: JJB <Barbish3@adelphia.net> Subject: Re: natd -redirect_port Message-ID: <200405171711.14330.4711@chello.at> In-Reply-To: <MIEPLLIBMLEEABPDBIEGIEFGFOAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGIEFGFOAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_SYNqA32rKbjgWDT Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 17 May 2004 15:12, JJB wrote: > Now wouldn't it just be better all the way around to create the IPFW > loadable module that is distributed with the system, with the > correct divert and logging options so it's not an mandatory > requirement to compile the kernel. It wold be fine to have a ipdivert.ko that could be loaded on demand of=20 ipfw.ko or via /etc/rc.d/natd. I think the main reason why we have no=20 ipdivert.ko around is that the ipdivert code toches severeal kernel sources= =2E=20 As I understand it, the divert proto is not just a piece of code that could= =20 simply pluged in and out (for now). I have no problem with logging diabled by default, as enabling needs only o= ne=20 line in rc.conf. =20 ps: please dont top-post and use some indentation character for quoting of = old=20 message text. This makes reading much easier. =20 > Why make this so difficult for=20 > the normal user?. Simpler and easier is always better than more > complicated. Look at it this way, A firewall without logging is > useless, and the majority of people who use IPFW have an lan behind > their IPFW firewall, so the sensible thing to do is distribute the > IPFW loadable module configured in an manner to address the needs of > the largest user group. As it's distributed now the loadable module > is all most completely useless so why even have one? > > My personal option is the IPFW loadable module is not configured > correctly and needs to be corrected. > > -----Original Message----- > From: Christian Hiris [mailto:4711@chello.at] > Sent: Monday, May 17, 2004 8:32 AM > To: freebsd-questions@freebsd.org; Barbish3@adelphia.net > Cc: Micheal Patterson; Anthony Philipp > Subject: Re: natd -redirect_port > > On Saturday 15 May 2004 18:56, JJB wrote: > > You are wrong also. The boot time message that displays about the > > ipfw module being loaded is incorrect. I filed an PR on that in > > 5.1 > > > and was told by developers that message is misleading, that the > > module is fully enabled with nat and logging, so I tested and > > indeed > > > nat and logging is really in the loadable module. It's my > > understanding the boot time message that displays about the ipfw > > module being loaded that says everything is disabled will be > > corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. > > My advice is to test ipfw module before adding ipfw option > > statements to kernel. That's why the 5.x versions are development > > versions, things change all the time until that get corrected > > before > > > be coming stable releases. This is all new because ipfw2 replaced > > ipfw at the 5.1 version I believe. Just think about it, why have > > an > > > loadable module if all the options are turned off, it makes the > > module useless. Ipfilter's loadable module is full function with > > nat and logging why should the ipfw module be any different? It's > > just that stupid message that has been misleading users all this > > time just like it did to me. If nat and logging is missing from > > the > > > ipfw loadable module in 5.2.1 then submit another PR to remind > > then > > > it needs to be corrected. Nat and logging are the most used > > options > > > of ipfw, it's just plain stupid not to have then included in the > > standard module. > > If a user wants ipfw to issue the correct initial divert message, > it's still > required to compile ipfw into the kernel. This means 'option > IPFIREWALL' is > required as stated in the natd manual. > > Actually on 5.2-current the ipfw module doesn't know if the kernel > has been > compiled with ipdivert proto. This causes the wrong 'divert > disabled' initial > message. > > I will file a PR on the wrong initial divert message issue tomorrow. > If the > ipdivert proto capability could be retrieved via divcb sysctl or any > other > mechanism, it might become possible that the ipfw kld could issue > the correct > divert message. > Disabling of the divert message in case the ipfw has been compiled > as kld > could be a simpler solution. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_SYNqA32rKbjgWDT Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAqNYScyi/EZQbawsRArGyAJ93XjmWxnbly22KcwkelkyNQRT3xQCfYScP S3BEHkrW43J+cdliBzWMrEs= =wYOr -----END PGP SIGNATURE----- --Boundary-02=_SYNqA32rKbjgWDT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405171711.14330.4711>