From owner-freebsd-security Sun Dec 31 9: 8:40 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 31 09:08:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from vista.athms.com (athms.bayarea.net [204.71.213.154]) by hub.freebsd.org (Postfix) with ESMTP id 0D97337B400 for ; Sun, 31 Dec 2000 09:08:37 -0800 (PST) Received: from goofy.int.athms.com ([192.168.100.12] helo=athms.com) by vista.athms.com with esmtp (Exim 3.16) id 14Cm6H-0008AC-00 ; Sun, 31 Dec 2000 09:16:53 -0800 Message-ID: <3A4F68DA.F2C91E78@athms.com> Date: Sun, 31 Dec 2000 09:11:54 -0800 From: Tom Czarnik X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: echelon , Darren Reed Subject: Re: IPFilter and new rc.conf scripts References: <20001231071333.14649.qmail@web1002.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 4) I find out that I have to issue the command "ipf > -Fa -f /etc/ipf.rules" myself whenever I reboot > FreeBSD or the rules on tun0 won't work. However, the > rules on the internal network (group 9000) work as > expected. No matter I re-issue the command or not > after reboot. > > This confuses me as rc.conf loads the ipf.rules when > FreeBSD reboot. Why do I have to issue this command > again to activate the rules on tun0? Although IPF hasn't changed version numbers between 4.1R and 4.2R as displayed by 'ipf -V', something did change because you must now resync IPF with the interface list. The man page has changed to reflect this. In 4.1R the resync was only available on Solaris and IPF accepted rules for interfaces that had not been present upon initialization. With 4.2R, when IPF is first loaded, the tun0 interface is not present. This also happens if you use any interfaces as modules (as in my case). I use the following patch to rc.network. --- rc.network Fri Dec 8 18:04:44 2000 +++ rc.network.new Fri Dec 8 20:23:11 2000 @@ -218,7 +218,7 @@ ppp_command="${ppp_command} ${ppp_profile}" - echo -n "Starting ppp as \"${ppp_user}\"" + echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac @@ -299,6 +299,12 @@ # if [ -n "${atm_pass1_done}" ]; then atm_pass2 + fi + + #* Resync IP Filter with any new interfaces (modules or tun0). + if [ -r "${ipfilter_rules}" ]; then + echo -n "IP Filter: " + ipf -y fi # Configure routing To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message