From owner-freebsd-questions Mon Feb 24 2:34:26 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB61537B405 for ; Mon, 24 Feb 2003 02:34:23 -0800 (PST) Received: from hypernet.hyper.net (hypernet.hyper.net [193.218.1.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1433843FBD for ; Mon, 24 Feb 2003 02:34:19 -0800 (PST) (envelope-from dxoch@escape.gr) Received: from escape.gr (bus.hyper.gr [193.218.2.30]) by hypernet.hyper.net (8.11.3/8.11.3/SuSE Linux 8.11.1-0.5) with ESMTP id h1OAktR16178; Mon, 24 Feb 2003 12:46:55 +0200 Message-ID: <3E59F4EC.89993D3A@escape.gr> Date: Mon, 24 Feb 2003 12:33:16 +0200 From: Jim Xochellis Organization: ESCAPE Services X-Mailer: Mozilla 4.78 (Macintosh; U; PPC) X-Accept-Language: en,fr,el MIME-Version: 1.0 To: Giorgos Keramidas Cc: freebsd-questions@freebsd.org Subject: Re: Problems with in the ipf setup in an FreeBSD 4.7 router References: <3E566B12.5DEE5B21@escape.gr> <20030221205818.GD70911@gothmog.gr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Giorgos, First of all I have to admit that basically you are right. I *must* avoid changing the xxx_program settings and it does not seem reasonable (in FreeBSD 4.7) to include the flags into the xxx_program settings. Flags should be into the xxx_flags settings. But my old router was an FreeBSD 4.2 - RELEASE box and I just wanted to change it to FreeBSD 4.7 - RELEASE for security reasons. I was under the impression that my old rc.conf file should work ok with the new system and I tried to reuse it (Big Mistake!). Unfortunately the rc.network file of the FreeBSD 4.7 - RELEASE is working differently now, and the ipfilter_program setting is not being used the same way like it was back in FreeBSD 4.2 - RELEASE: rc.network of FreeBSD 4.2 - RELEASE: ... ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} ... rc.network of FreeBSD 4.7 - RELEASE: ... ${ipfilter_program:-/sbin/ipf} -Fa -f "${ipfilter_rules}" ${ipfilter_flags} ... In other words [ipfilter_program="/sbin/ipf -Fa -f"] was the correct setting for the FreeBSD 4.2 - RELEASE but it is incorrect for the FreeBSD 4.7 - RELEASE. My *big* mistake was that that changing the ipfilter_program setting was not really necessary for me. I should left it to its default value! Well I am wiser now thanks to this list, thank you very much! Regards, Jim Xochellis Escape Information Services Giorgos Keramidas wrote: > > ipfilter_flags="" > > > > The problem is that, when I boot, ipf does not work. It seems like is > > not using the rules. > > Don't change ipfilter_program if you don't have a *very* good reason > for doing so: > > $ grep ipfilter_program /etc/defaults/rc.conf > ipfilter_program="/sbin/ipf" # where the ipfilter program lives > > Before you change one of the xxx_program options in rc.conf you should > make sure that you understand what this change will affect, by looking > at the /etc/rc* scripts: > > $ grep -l ipfilter_program /etc/rc* > rc.network > $ grep ipfilter_program /etc/rc.network > ${ipfilter_program:-/sbin/ipf} -Fa > ${ipfilter_program:-/sbin/ipf} \ > ${ipfilter_program:-/sbin/ipf} -6 \ > ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null > > By setting ipfilter_program to "/sbin/ipf -Fa -f", that first line of > rc.network became: > > /sbin/ipf -Fa -f -Fa > > which doesn't work. Similarly, the -f option at the end of your > ipfilter_program value broke all the rest of the ipf commands in > /etc/rc.network. Delete the ipfilter_program line from your rc.conf > and the default will work fine. > > Here's what I have in my rc.conf for ipfilter and ipmon: > > $ grep '^ip[fm]' /etc/rc.conf > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipmon_enable="YES" > ipmon_flags="-D -s -o I" > > - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message