Date: Mon, 24 Feb 2003 12:33:16 +0200 From: Jim Xochellis <dxoch@escape.gr> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with in the ipf setup in an FreeBSD 4.7 router Message-ID: <3E59F4EC.89993D3A@escape.gr> References: <3E566B12.5DEE5B21@escape.gr> <20030221205818.GD70911@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Giorgos,
First of all I have to admit that basically you are right. I *must*
avoid changing the xxx_program settings and it does not seem reasonable
(in FreeBSD 4.7) to include the flags into the xxx_program settings.
Flags should be into the xxx_flags settings.
But my old router was an FreeBSD 4.2 - RELEASE box and I just wanted to
change it to FreeBSD 4.7 - RELEASE for security reasons. I was under the
impression that my old rc.conf file should work ok with the new system
and I tried to reuse it (Big Mistake!).
Unfortunately the rc.network file of the FreeBSD 4.7 - RELEASE is
working differently now, and the ipfilter_program setting is not being
used the same way like it was back in FreeBSD 4.2 - RELEASE:
rc.network of FreeBSD 4.2 - RELEASE:
...
${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
...
rc.network of FreeBSD 4.7 - RELEASE:
...
${ipfilter_program:-/sbin/ipf} -Fa -f "${ipfilter_rules}" ${ipfilter_flags}
...
In other words [ipfilter_program="/sbin/ipf -Fa -f"] was the correct
setting for the FreeBSD 4.2 - RELEASE but it is incorrect for the
FreeBSD 4.7 - RELEASE. My *big* mistake was that that changing the
ipfilter_program setting was not really necessary for me. I should left
it to its default value! Well I am wiser now thanks to this list, thank
you very much!
Regards,
Jim Xochellis
Escape Information Services
Giorgos Keramidas wrote:
> > ipfilter_flags=""
> >
> > The problem is that, when I boot, ipf does not work. It seems like is
> > not using the rules.
>
> Don't change ipfilter_program if you don't have a *very* good reason
> for doing so:
>
> $ grep ipfilter_program /etc/defaults/rc.conf
> ipfilter_program="/sbin/ipf" # where the ipfilter program lives
>
> Before you change one of the xxx_program options in rc.conf you should
> make sure that you understand what this change will affect, by looking
> at the /etc/rc* scripts:
>
> $ grep -l ipfilter_program /etc/rc*
> rc.network
> $ grep ipfilter_program /etc/rc.network
> ${ipfilter_program:-/sbin/ipf} -Fa
> ${ipfilter_program:-/sbin/ipf} \
> ${ipfilter_program:-/sbin/ipf} -6 \
> ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
>
> By setting ipfilter_program to "/sbin/ipf -Fa -f", that first line of
> rc.network became:
>
> /sbin/ipf -Fa -f -Fa
>
> which doesn't work. Similarly, the -f option at the end of your
> ipfilter_program value broke all the rest of the ipf commands in
> /etc/rc.network. Delete the ipfilter_program line from your rc.conf
> and the default will work fine.
>
> Here's what I have in my rc.conf for ipfilter and ipmon:
>
> $ grep '^ip[fm]' /etc/rc.conf
> ipfilter_enable="YES"
> ipfilter_rules="/etc/ipf.rules"
> ipmon_enable="YES"
> ipmon_flags="-D -s -o I"
>
> - Giorgos
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E59F4EC.89993D3A>