From owner-freebsd-questions@FreeBSD.ORG Mon May 17 05:32:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C555216A4CF for ; Mon, 17 May 2004 05:32:43 -0700 (PDT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 1C43D43D2F for ; Mon, 17 May 2004 05:32:41 -0700 (PDT) (envelope-from 4711@chello.at) Received: (qmail 21194 invoked from network); 17 May 2004 12:32:39 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 17 May 2004 12:32:39 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org, Barbish3@adelphia.net Date: Mon, 17 May 2004 14:32:15 +0200 User-Agent: KMail/1.6.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_mDLqAWaggEpQmf0"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405171432.38987.4711@chello.at> cc: Anthony Philipp cc: Micheal Patterson Subject: Re: natd -redirect_port X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 12:32:43 -0000 --Boundary-02=_mDLqAWaggEpQmf0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 15 May 2004 18:56, JJB wrote: > You are wrong also. The boot time message that displays about the > ipfw module being loaded is incorrect. I filed an PR on that in 5.1 > and was told by developers that message is misleading, that the > module is fully enabled with nat and logging, so I tested and indeed > nat and logging is really in the loadable module. It's my > understanding the boot time message that displays about the ipfw > module being loaded that says everything is disabled will be > corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. > My advice is to test ipfw module before adding ipfw option > statements to kernel. That's why the 5.x versions are development > versions, things change all the time until that get corrected before > be coming stable releases. This is all new because ipfw2 replaced > ipfw at the 5.1 version I believe. Just think about it, why have an > loadable module if all the options are turned off, it makes the > module useless. Ipfilter's loadable module is full function with > nat and logging why should the ipfw module be any different? It's > just that stupid message that has been misleading users all this > time just like it did to me. If nat and logging is missing from the > ipfw loadable module in 5.2.1 then submit another PR to remind then > it needs to be corrected. Nat and logging are the most used options > of ipfw, it's just plain stupid not to have then included in the > standard module. If a user wants ipfw to issue the correct initial divert message, it's stil= l=20 required to compile ipfw into the kernel. This means 'option IPFIREWALL' is= =20 required as stated in the natd manual.=20 Actually on 5.2-current the ipfw module doesn't know if the kernel has been= =20 compiled with ipdivert proto. This causes the wrong 'divert disabled' initi= al=20 message.=20 =20 I will file a PR on the wrong initial divert message issue tomorrow. If the= =20 ipdivert proto capability could be retrieved via divcb sysctl or any other= =20 mechanism, it might become possible that the ipfw kld could issue the corre= ct=20 divert message. =20 Disabling of the divert message in case the ipfw has been compiled as kld=20 could be a simpler solution. > > -----Original Message----- > From: Micheal Patterson [mailto:micheal@tsgincorporated.com] > Sent: Saturday, May 15, 2004 11:38 AM > To: Barbish3@adelphia.net; Christian Hiris; > freebsd-questions@freebsd.org > Cc: Anthony Philipp > Subject: Re: natd -redirect_port > > > ----- Original Message ----- > From: "JJB" > To: "Christian Hiris" <4711@chello.at>; > > Cc: "Anthony Philipp" > Sent: Saturday, May 15, 2004 8:05 AM > Subject: RE: natd -redirect_port > > > You are wrong, you do not have to compile ipfirewall kernel > > options > > > into the kernel. > > IPFW is delivered as an bootable module. > > You need this in rc.conf to enable ipfw, it will auto load the > > bootable module. > > > > # Required For IPFW kernel firewall support > > firewall_enable=3D"YES" # Start daemon > > firewall_script=3D"/etc/ipfw.rules" # run my custom rules > > firewall_logging=3D"YES" # Enable events logging > > > > natd_enable=3D"YES" # Enable IPFW nat function > > natd_interface=3D"rl0" > > natd_flags=3D"-dynamic -m -u -f /etc/natd.conf" > > You're right, you don't have to recompile to use ipfw, however, > since there > is no divert module, the kernel will still need to be recompiled to > enable > divert. In order for the OP to do what they're wanting to do they > will still > need to recompile kernel and restart the system. > > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any > attachments, is > for the sole use of the intended recipient(s) and may contain > confidential > and privileged information. Any unauthorized review, use, disclosure > or > distribution is prohibited. If you are not the intended recipient, > please > contact the sender by reply e-mail and destroy all copies of the > original > message. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_mDLqAWaggEpQmf0 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAqLDmcyi/EZQbawsRAsWyAKCxMPR3SZ8Q47oWVctTqptIXRW1gwCgkxOK eufewwVQCl0fAbCiZ1LMPtA= =bej3 -----END PGP SIGNATURE----- --Boundary-02=_mDLqAWaggEpQmf0--