Date: Sat, 31 Aug 2002 12:15:33 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Kenneth W Cochran <kwc@TheWorld.com> Cc: freebsd-stable@FreeBSD.ORG, luigi@FreeBSD.ORG Subject: Re: IPFW2 option in -stable kernel config Message-ID: <4.3.2.20020831112817.00e57e30@207.227.119.2> In-Reply-To: <200208311312.JAA118809063@shell.TheWorld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:12 AM 8/31/02 -0400, Kenneth W Cochran wrote:
>In reading the notes in the cvs-all & stable lists regarding
>the IPFW2, it isn't clear (well to me :) how to properly
>specify the new code. As per the announcement(s), there is,
>of course, no explanation in LINT either.
Not yet. However, the man page has been updated (8/16 & 8/20).
>Are IPFIREWALL & IPFW2 mutually exclusive?
No, I thought the 7/23 commit message was clear on how to use the new
functionality:
+ add "options IPFW2" (undocumented) to your kernel config file;
+ compile and install sbin/ipfw and lib/libalias with
make -DIPFW2
If you look at the source, it's clear why you *must* have both. Perhaps
the commit should have read:
+ add "options IPFW2" (undocumented) to your kernel config file;
(in addition to IPFIREWALL);
>Does IPFW2 "depend on" specification of IPFIREWALL?
Yes.
>Do options like IPDIVERT, IPFIREWALL_VERBOSE
>& other knobs apply to IPFIREWALL as well?
Yes ^ 3+n
>In looking over the kernel source(s), it appears that IPFW2
>might "trump" IPFIREWALL & therefore IPFIREWALL becomes a
>"don't care" if IPFW2 is specified. Is this correct?
No. UTSL
In the process of redoing one system for testing I installed 4.6R using a
faster system to build world and (after updating other systems) while it
was NFS mounted recompiled ipfw and libalias:
cd src/sbin/ipfw
make clean
make -DIPFW2 depend (no-op really, just habit)
make -DIPFW2
make -DIPFW2 install (this was covered by "make installworld"
And similarly for src/lib/libalias. You can add IPFW2=true to make.conf as
well and then only the kernel need be updated:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFW2 <-- added
The only thing I'm curious about is just how far the range functionality
goes. Would be nice to extend the following example given:
... ip from 1.2.3.0/24{50,6,27,158} to ...
To say:
... ip from 1.2.36.0/22{36.1,37.2,38.3,39.4} to ...
And if ranges could be used such as 36.1-10 with such a rule.
... ip from 1.2.36.0/22{36.10-19,37.20-29,38.30-39,39.40-49} to ...
Might be wishful thinking.
Have CC'd Luigi to find out.
cheers!
Jeff Mountin - jeff@mountin.net
Systems/Network Administrator
FreeBSD - the power to serve
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20020831112817.00e57e30>