Skip site navigation (1)Skip section navigation (2) 
Date:      Sun,  8 Apr 2001 15:08:41 -0700 (PDT)
From:      Mike Harding <mvh@ix.netcom.com>
To:        l.ipfilter@rtci.com
Cc:        vons@iname.com, freebsd-stable@freebsd.org, ipfilter@coombs.anu.edu.au
Subject:   Re: Broken rc.network for ipfilter w/ PR (was Re: How to install ipfilter..)
Message-ID:  <20010408220841.A7023113B1E@netcom1.netcom.com>
In-Reply-To: <20010408151025.A34209@rtci.com> (message from thomas r stromberg on Sun, 8 Apr 2001 15:10:28 -0400)
References:  <5.1.0.12.2.20010407230631.00a688c0@mail.vons.local> <20010408151025.A34209@rtci.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


Also, if you use a dialup line, and dial-on-demand, as I do, 'ipf -y'
is not called after the dynamic interfaces are set up, and you can
have a filterless box, as the interface does not exist when the rules
are set.  Note that ppp is setup before ipfw and so ipfw and ipnat do
not have this problem.

- Mike H.

   Date: Sun, 8 Apr 2001 15:10:28 -0400
   From: thomas r stromberg <l.ipfilter@rtci.com>
   Cc: freebsd-stable@freebsd.org, ipfilter@coombs.anu.edu.au
   Content-Type: text/plain; charset=us-ascii
   Content-Disposition: inline
   User-Agent: Mutt/1.3.16i
   Sender: owner-freebsd-stable@FreeBSD.ORG
   X-Loop: FreeBSD.ORG
   Precedence: bulk

   >   I added the four commands above to /etc/rc.network instead of using
   >   FreeBSD's ipfilter support through rc.conf mechanism (it assumes that
   >   ipfilter is built into the kernel)

      There is a PR with a patch sitting on this rc.network fuckup
      (oversight) that I'd really love to see committed for 4.3-RELEASE,
      but who knows if that's possible with the given timeline.

      http://www.freebsd.org/cgi/query-pr.cgi?pr=26275

      I completely missed a previous PR on the same issue, but this one
      has a patch that will work no matter where $ipfilter_program is set
      to (hack), rather then hardcoding an ipfstat location.

      Patch also fixes it so that ipf.rules doesn't have to exist if your
      just setting up a NAT.

      This issue has been a pain in the ass when helping people setup
      ipnat.. so much so I actually recommend people to patch this on the
      bsdwiki entry:

      http://profile.sh/bsdwiki/index.php?Sharing%20your%20internet%20connection%20via%20ipnat

   -- 
   : Thomas Stromberg                      work> tstromberg@rtci.com  :
   : Research Triangle Commerce (ICC.net)  home> thomas@stromberg.org :

   'Every word is like an unnecessary stain on silence and nothingness' 
       -- Beckett

   To Unsubscribe: send mail to majordomo@FreeBSD.org
   with "unsubscribe freebsd-stable" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010408220841.A7023113B1E>