From owner-freebsd-stable Wed Mar 14 12:16:51 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 09D0937B71D for ; Wed, 14 Mar 2001 12:16:41 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 5867 invoked by uid 0); 14 Mar 2001 20:16:39 -0000 Received: from p3ee20a8c.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.140) by mail.gmx.net (mp022-rz3) with SMTP; 14 Mar 2001 20:16:39 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA22548 for stable@FreeBSD.ORG; Wed, 14 Mar 2001 20:35:20 +0100 Date: Wed, 14 Mar 2001 20:35:20 +0100 From: Gerhard Sittig To: stable@FreeBSD.ORG Subject: Re: /etc/default/rc.conf bad default ipfilter_flags? Message-ID: <20010314203520.Y20830@speedy.gsinet> Mail-Followup-To: stable@FreeBSD.ORG References: <20010314113640.741AF1140FC@netcom1.netcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010314113640.741AF1140FC@netcom1.netcom.com>; from mvh@ix.netcom.com on Wed, Mar 14, 2001 at 03:36:40AM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 14, 2001 at 03:36 -0800, Mike Harding wrote: > > I can confirm that the "-E" seems to be unecessary for both > kernel and kernel module loads. I'm "guilty" of having provided this default setting (see PR conf/20202). :) It's because I tried the OpenBSD invocation (and what I got from the excellent "IPFilter HowTo") in FreeBSD, too. Admittedly I never tried anything else than compiling ipf(4) into the kernel. And I honestly assume a module loaded by the loader (i.e. before / together with the kernel) to be more of an integral part of the kernel than a module loaded much later after having run for some time without the additional functionality. I'm not 100% positive what the -E switch does to the ipf(8) command. If it makes it load the module at all, that's of course a problem when the functionality is already active. "man 8 ipf" tells me: -E Enable the filter (if disabled). Not effective for loadable kernel versions. so I guess it's about having pass as the default action? Or is it the opposite of temporarily issuing "ipf -D" for whatever reason? To summarize: I don't know. And as discussed (in quite some detail) in "man 5 rc.conf" I don't care about ipf(4) being a module. :> Just state when you're sure ipfilter_flags could always be empty and file a PR to have the default corrected ... > I can also confirm that ppp does not play well with ipfilter > because ipfilter needs a 'ipf -y' to pick up the dynamically > configured interfaces - it's set up before these interfaces > exist, so that any rules applying to them don't work! I stick > a 'ipf -y' near the end of pass 1 in /etc/rc.network but this > is my local hack. Are you referring to conf/22859? There's a followup by me discussing three methods of avoiding the problem. One of them being really easy to apply: it's the "ipf -y" you state. The PR got assigned to darrenr, just ask him kindly to commit the three line extension. But yet I feel that ppp users usually have an "ipf -y" in their /etc/ppp/ppp.link{up,down} anyway ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message