From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 10 22:16:24 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E79FB16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2004 22:16:23 +0000 (GMT)
Received: from pixenter.com (pixenter.com [207.55.105.100])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B462E43D46
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2004 22:16:23 +0000 (GMT)
	(envelope-from dave@rocsculptr.net)
Received: from www.rocsculptr.net (localhost [127.0.0.1])
	by pixenter.com (Postfix) with SMTP id 674531DA22E
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Aug 2004 15:16:14 -0700 (PDT)
Received: from 128.115.254.31
        (SquirrelMail authenticated user dave_m)
        by www.rocsculptr.net with HTTP;
        Tue, 10 Aug 2004 15:16:14 -0700 (PDT)
Message-ID: <1325.128.115.254.31.1092176174.squirrel@www.rocsculptr.net>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGEENNGIAA.fbsd_user@a1poweruser.com>
References: <1510.128.115.254.31.1092169421.squirrel@www.rocsculptr.net>
    <MIEPLLIBMLEEABPDBIEGEENNGIAA.fbsd_user@a1poweruser.com>
Date: Tue, 10 Aug 2004 15:16:14 -0700 (PDT)
From: "Dave Patterson" <dave@rocsculptr.net>
To: freebsd-questions@freebsd.org
User-Agent: SquirrelMail/1.4.1
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
Subject: RE: Problem: ipf - /dev/kmem errors
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: dave@rocsculptr.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2004 22:16:24 -0000

> owner-freebsd-questions@freebsd.org wrote:
>> Hello everyone,
>>
>> I'm currently using a generic pc running, that is acting as a
> router.
>> The routing works fine, but ipfilter does not.
>> Pentium III (801.82-MHz 686-class CPU)
>> memory  = (128 MB)
>>
>> 5.2-CURRENT #1
>>
>> here is part of my kernel config file :
>>> --snip--<
>> # IPF stuff
>> options         PFIL_HOOKS              # pfil(9) framework
>> options         IPFILTER
>> options         IPFILTER_LOG
>> options         INVARIANTS              #Enable calls of extra
> sanity
>> checking
>>> --snip--<
>>
>> the kernel seems to load the module {from dmesg}
>> IP Filter: v3.4.35 initialized.  Default = pass all, Logging =
> enabled
>>
>> yet when I try and verify which rulesets are loaded, I get kmem
>> errors.
>>
>> # ipfstat
>> ioctl(SIOCGETFS): Invalid argument
>> openkmem:open: No such file or directory
>>
>>
>>
>> I did read that in 5.x /dev/kmem was changed/removed for security,
> if
>> thats the case what is the facility that ipfilter uses ?
>>
>> thanks for any help,
>> D
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org"
>
> Just because you compiled ipfilter into the kernel does not mean
> that you have enabled it to start.
>
> You need the follow statements in /etc/rc.conf to activate IPF at
> boot time.
>
> ipfilter_enable="YES"             # Start ipf firewall
> ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
>                                   # IE: not script file with rules
> in it
>
> ipmon_enable="YES"                # Start IP monitor log
> ipmon_flags="-Ds"                 # D = start as daemon
>                                   # s = log to syslog
>                                   # v = log tcp window, ack, seq
>                                   # n = map IP & port to names
>
>
>
> If you have a LAN behind this firewall that uses the reserved
> private IP address ranges, then you need to add the following to
> enable NAT functionality.
>
> gateway_enable="YES"              # Enable as LAN gateway
> ipnat_enable="YES"                # Start ipnat function
> ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat
>
Thanks for the reminder, I neglected to include that in my original email.
 I do have the above mentioned options in my /etc/rc.conf:
# ---------- ipf stuff ----------
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf/ipf.conf"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipf/ipnat.conf"
ipmon_enable="YES"
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds"               # typically "-Ds" or "-D /var/log/ipflog"
# ---------- end ipf stuff ----------

I also checked the kernel to see which modules where loaded currently :
# kldstat -v
Id Refs Address    Size     Name
 1   11 0xc0400000 2f65bc   kernel
        Contains modules:
                Id Name
                 1 IP Filter: v3.4.35
                 2 isa/ata
                 ....
                 ...
Im still getting same kmem error tho,

# ipfstat
ioctl(SIOCGETFS): Invalid argument
openkmem:open: No such file or directory

any Idea why I don't have the device /dev/kmem ?
# ls /dev/k*
/dev/kbd0@ /dev/klog

thanks again,
-D