From owner-freebsd-questions Mon Nov 5 14:36: 3 2001 Delivered-To: freebsd-questions@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id 8CB8837B418 for ; Mon, 5 Nov 2001 14:35:57 -0800 (PST) Received: from dialup-209.245.130.246.dial1.sanjose1.level3.net ([209.245.130.246] helo=blossom.cjclark.org) by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 160sLT-0005F5-00; Mon, 05 Nov 2001 14:35:56 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA5MZRs01083; Mon, 5 Nov 2001 14:35:27 -0800 (PST) (envelope-from cjc) Date: Mon, 5 Nov 2001 14:35:26 -0800 From: "Crist J. Clark" To: Nick Rogness Cc: David Kelly , Jason Cribbins , questions@FreeBSD.ORG Subject: Re: Unable to get natd/ipfw to work properly Message-ID: <20011105143526.A745@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011104231746.D325@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nick@rogness.net on Mon, Nov 05, 2001 at 12:34:21PM -0600 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Nov 05, 2001 at 12:34:21PM -0600, Nick Rogness wrote: > On Sun, 4 Nov 2001, Crist J. Clark wrote: > > > > > You must build IPDIVERT into the kernel > > > > manually as there is no klm for DIVERT and it is not part of > > > > ipfw.ko. Or at least it wasn't before 4.4-R. > > > > OK, then that would be a nice simple little thing for somebody to > > > contribute to /etc/rc.network. The script knows if it has to kldload > > > ipfw, and if it loaded from kld then is there any chance IPDIVERT > > > will work? If not, then a verbose warning would be nice if such were > > > attempted. > > > > > There is nothing stopping someone from adding IPDIVERT to their > > ipfw.ko module. Edit src/sys/modules/ipfw/Makefile. > > Maybe it would be nice to have 2 ipfw klm's. 1 that has just the > basic functionality (ipfw.ko) and a second module, say > ipfw-plus.ko, that has IPDIVERT, Forwarding, etc. > > Then the rc scripts could load the appropriate one on boot. > > Just a thought. I don't think it would be difficult to do, just a > matter if people want it or not. Well, there are some "issues" with IPDIVERT. If you build a firewall module with IPDIVERT and load it into a kernel that was not built with IPDIVERT, it won't work. But you _can_ do it if the kernel had IPDIVERT, but did not have any IPFIREWALL options set (like the poster in this thread did). The divert(4) code does not just live in the firewall code, but elsewhere in the kernel (e.g. ip_input.c, ip_output.c) too. But back to the original point, I am not sure a more verbose message is needed. Isn't, IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, logging limited to 1000 packets/entry by default ^^^^^^^^^^^^^^^ Enough? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message