Date: Mon, 17 May 2004 09:12:24 -0400 From: "JJB" <Barbish3@adelphia.net> To: <freebsd-questions@freebsd.org>, "Christian Hiris" <4711@chello.at> Cc: Micheal Patterson <micheal@tsgincorporated.com> Subject: RE: natd -redirect_port Message-ID: <MIEPLLIBMLEEABPDBIEGIEFGFOAA.Barbish3@adelphia.net> In-Reply-To: <200405171432.38987.4711@chello.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Now wouldn't it just be better all the way around to create the IPFW loadable module that is distributed with the system, with the correct divert and logging options so it's not an mandatory requirement to compile the kernel. Why make this so difficult for the normal user?. Simpler and easier is always better than more complicated. Look at it this way, A firewall without logging is useless, and the majority of people who use IPFW have an lan behind their IPFW firewall, so the sensible thing to do is distribute the IPFW loadable module configured in an manner to address the needs of the largest user group. As it's distributed now the loadable module is all most completely useless so why even have one? My personal option is the IPFW loadable module is not configured correctly and needs to be corrected. -----Original Message----- From: Christian Hiris [mailto:4711@chello.at] Sent: Monday, May 17, 2004 8:32 AM To: freebsd-questions@freebsd.org; Barbish3@adelphia.net Cc: Micheal Patterson; Anthony Philipp Subject: Re: natd -redirect_port On Saturday 15 May 2004 18:56, JJB wrote: > You are wrong also. The boot time message that displays about the > ipfw module being loaded is incorrect. I filed an PR on that in 5.1 > and was told by developers that message is misleading, that the > module is fully enabled with nat and logging, so I tested and indeed > nat and logging is really in the loadable module. It's my > understanding the boot time message that displays about the ipfw > module being loaded that says everything is disabled will be > corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. > My advice is to test ipfw module before adding ipfw option > statements to kernel. That's why the 5.x versions are development > versions, things change all the time until that get corrected before > be coming stable releases. This is all new because ipfw2 replaced > ipfw at the 5.1 version I believe. Just think about it, why have an > loadable module if all the options are turned off, it makes the > module useless. Ipfilter's loadable module is full function with > nat and logging why should the ipfw module be any different? It's > just that stupid message that has been misleading users all this > time just like it did to me. If nat and logging is missing from the > ipfw loadable module in 5.2.1 then submit another PR to remind then > it needs to be corrected. Nat and logging are the most used options > of ipfw, it's just plain stupid not to have then included in the > standard module. If a user wants ipfw to issue the correct initial divert message, it's still required to compile ipfw into the kernel. This means 'option IPFIREWALL' is required as stated in the natd manual. Actually on 5.2-current the ipfw module doesn't know if the kernel has been compiled with ipdivert proto. This causes the wrong 'divert disabled' initial message. I will file a PR on the wrong initial divert message issue tomorrow. If the ipdivert proto capability could be retrieved via divcb sysctl or any other mechanism, it might become possible that the ipfw kld could issue the correct divert message. Disabling of the divert message in case the ipfw has been compiled as kld could be a simpler solution. > > -----Original Message----- > From: Micheal Patterson [mailto:micheal@tsgincorporated.com] > Sent: Saturday, May 15, 2004 11:38 AM > To: Barbish3@adelphia.net; Christian Hiris; > freebsd-questions@freebsd.org > Cc: Anthony Philipp > Subject: Re: natd -redirect_port > > > ----- Original Message ----- > From: "JJB" <Barbish3@adelphia.net> > To: "Christian Hiris" <4711@chello.at>; > <freebsd-questions@freebsd.org> > Cc: "Anthony Philipp" <philipp1@itg.uiuc.edu> > Sent: Saturday, May 15, 2004 8:05 AM > Subject: RE: natd -redirect_port > > > You are wrong, you do not have to compile ipfirewall kernel > > options > > > into the kernel. > > IPFW is delivered as an bootable module. > > You need this in rc.conf to enable ipfw, it will auto load the > > bootable module. > > > > # Required For IPFW kernel firewall support > > firewall_enable="YES" # Start daemon > > firewall_script="/etc/ipfw.rules" # run my custom rules > > firewall_logging="YES" # Enable events logging > > > > natd_enable="YES" # Enable IPFW nat function > > natd_interface="rl0" > > natd_flags="-dynamic -m -u -f /etc/natd.conf" > > You're right, you don't have to recompile to use ipfw, however, > since there > is no divert module, the kernel will still need to be recompiled to > enable > divert. In order for the OP to do what they're wanting to do they > will still > need to recompile kernel and restart the system. > > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any > attachments, is > for the sole use of the intended recipient(s) and may contain > confidential > and privileged information. Any unauthorized review, use, disclosure > or > distribution is prohibited. If you are not the intended recipient, > please > contact the sender by reply e-mail and destroy all copies of the > original > message. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIEFGFOAA.Barbish3>