Date: Tue, 5 Dec 2000 17:04:47 +0100 From: Danny Pansters <danny@ricin.com> To: "joskis" <joskis@xxx.lt> Cc: freebsd-questions@freebsd.org Subject: Re: freebsd 4.2 & ipfilter Message-ID: <00120517044700.00989@ricin.localnet> In-Reply-To: <019601c05eca$315b36c0$7d01a8c0@FLONIDAN> References: <019601c05eca$315b36c0$7d01a8c0@FLONIDAN>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I've been playing with ipf to set up my nat box connected to cable modem, first with release 4.1.1, recently updated to 4.2. The new release contains a part in the rc.network to start ipf right after boot. It didn't seem to work for me though. > host# ipf -Fa -f /etc/ipf.rules > 1:ioctl(add/insert rule): No such process Try: ipf -y it does some synching. Otherwise your first rule is wrong. > and plius, the kernel options: ipdivert & ipstealth are for ipfirewall or > for ipfilter also? AFAIK, these are for ipfw not for ipf, you can do stealth with ipf also, check the manual at www.obfuscation.org/ipf (if you don't have this how-to already, get it, you'll need it). You can hide the firewall node with this stealth thing, but really you don't need it and it might slow your box down. This is how it works for me: I dont use the new method as mentioned before. I think it requires you to add a couple of lines to /etc/rc.conf. What I did was: 1) compile ipf filter and logging in kernel -- dmesg should show a line saying ipfilter initialized 2) put ipf rules in /etc/ipf.rules and DOCUMENT it!! 3) put nat rules in /etc/ipnat.rules 4) make a little script /etc/rc.ipfilter something like: #!/bin/sh echo -n ' ipfilter' ipf -Fa -f /etc/ipf.rules echo -n ' ipnat' ipnat -CF -f /etc/ipnat.rules > /dev/null echo -n ' ipmon' ipmon -s & # change if you don't want logging to syslog 5) make it executable and call it from /etc/rc.network right after host discovery (very early) 6) just reboot once (can do without but this is easier) This might not be the most aestatic way to do it but it works. I don't know why the new method suggested by 4.2 went wrong, I *had* to use rc.conf then to initialize ipf and it would say "already initialized". In the end it did work in principle, but I found it ugly and returned to my old method. BTW, I love ipf, finally a fw package that uses human language (earlier I used ipchains on linux). Hope this helps you a bit, Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00120517044700.00989>