Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 May 2004 12:56:35 -0400
From:      "JJB" <Barbish3@adelphia.net>
To:        "Micheal Patterson" <micheal@tsgincorporated.com>, "Christian Hiris" <4711@chello.at>, <freebsd-questions@freebsd.org>
Cc:        Anthony Philipp <philipp1@itg.uiuc.edu>
Subject:   RE: natd -redirect_port
Message-ID:  <MIEPLLIBMLEEABPDBIEGGEDIFOAA.Barbish3@adelphia.net>
In-Reply-To: <004801c43a92$91200ed0$0201a8c0@dredster>

next in thread | previous in thread | raw e-mail | index | archive | help
You are wrong also. The boot time message that displays about the
ipfw module being loaded is incorrect. I filed an PR on that in 5.1
and was told by developers that message is misleading, that the
module is fully enabled with nat and logging, so I tested and indeed
nat and logging is really in the loadable module.  It's my
understanding the boot time message that displays about the ipfw
module being loaded that says everything is disabled will be
corrected in 5.3.  What is in the 5.2.1 ipfw module I do not know.
My advice is to test ipfw module before adding ipfw option
statements to kernel. That's why the 5.x versions are development
versions, things change all the time until that get corrected before
be coming stable releases. This is all new because ipfw2 replaced
ipfw at the 5.1 version I believe.  Just think about it, why have an
loadable module if all the options are turned off, it makes the
module useless.  Ipfilter's loadable module is full function with
nat and logging why should the ipfw module be any different? It's
just that stupid message that has been misleading users all this
time just like it did to me. If nat and logging is missing from the
ipfw loadable module in 5.2.1 then submit another PR to remind then
it needs to be corrected. Nat and logging are the most used options
of ipfw, it's just plain stupid not to have then included in the
standard module.

-----Original Message-----
From: Micheal Patterson [mailto:micheal@tsgincorporated.com]
Sent: Saturday, May 15, 2004 11:38 AM
To: Barbish3@adelphia.net; Christian Hiris;
freebsd-questions@freebsd.org
Cc: Anthony Philipp
Subject: Re: natd -redirect_port


----- Original Message -----
From: "JJB" <Barbish3@adelphia.net>
To: "Christian Hiris" <4711@chello.at>;
<freebsd-questions@freebsd.org>
Cc: "Anthony Philipp" <philipp1@itg.uiuc.edu>
Sent: Saturday, May 15, 2004 8:05 AM
Subject: RE: natd -redirect_port


> You are wrong, you do not have to compile ipfirewall kernel
options
> into the kernel.
> IPFW is delivered as an bootable module.
> You need this in rc.conf to enable ipfw, it will auto load the
> bootable module.
>
> # Required For IPFW  kernel firewall support
> firewall_enable="YES"              # Start daemon
> firewall_script="/etc/ipfw.rules"  # run my custom rules
> firewall_logging="YES"            # Enable events logging
>
> natd_enable="YES"                 # Enable IPFW nat function
> natd_interface="rl0"
> natd_flags="-dynamic -m -u -f /etc/natd.conf"
>

You're right, you don't have to recompile to use ipfw, however,
since there
is no divert module, the kernel will still need to be recompiled to
enable
divert. In order for the OP to do what they're wanting to do they
will still
need to recompile kernel and restart the system.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any
attachments, is
for the sole use of the intended recipient(s) and may contain
confidential
and privileged information. Any unauthorized review, use, disclosure
or
distribution is prohibited. If you are not the intended recipient,
please
contact the sender by reply e-mail and destroy all copies of the
original
message.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGGEDIFOAA.Barbish3>