From owner-freebsd-stable Sat Aug 31 10:16:35 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EE5A37B400; Sat, 31 Aug 2002 10:16:18 -0700 (PDT) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD17743E72; Sat, 31 Aug 2002 10:16:17 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA13689; Sat, 31 Aug 2002 12:16:16 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from mke-24-167-197-76.wi.rr.com(24.167.197.76) by peak.mountin.net via smap (V1.3) id sma013683; Sat Aug 31 12:16:11 2002 Message-Id: <4.3.2.20020831112817.00e57e30@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sat, 31 Aug 2002 12:15:33 -0500 To: Kenneth W Cochran From: "Jeffrey J. Mountin" Subject: Re: IPFW2 option in -stable kernel config Cc: freebsd-stable@FreeBSD.ORG, luigi@FreeBSD.ORG In-Reply-To: <200208311312.JAA118809063@shell.TheWorld.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 09:12 AM 8/31/02 -0400, Kenneth W Cochran wrote: >In reading the notes in the cvs-all & stable lists regarding >the IPFW2, it isn't clear (well to me :) how to properly >specify the new code. As per the announcement(s), there is, >of course, no explanation in LINT either. Not yet. However, the man page has been updated (8/16 & 8/20). >Are IPFIREWALL & IPFW2 mutually exclusive? No, I thought the 7/23 commit message was clear on how to use the new functionality: + add "options IPFW2" (undocumented) to your kernel config file; + compile and install sbin/ipfw and lib/libalias with make -DIPFW2 If you look at the source, it's clear why you *must* have both. Perhaps the commit should have read: + add "options IPFW2" (undocumented) to your kernel config file; (in addition to IPFIREWALL); >Does IPFW2 "depend on" specification of IPFIREWALL? Yes. >Do options like IPDIVERT, IPFIREWALL_VERBOSE >& other knobs apply to IPFIREWALL as well? Yes ^ 3+n >In looking over the kernel source(s), it appears that IPFW2 >might "trump" IPFIREWALL & therefore IPFIREWALL becomes a >"don't care" if IPFW2 is specified. Is this correct? No. UTSL In the process of redoing one system for testing I installed 4.6R using a faster system to build world and (after updating other systems) while it was NFS mounted recompiled ipfw and libalias: cd src/sbin/ipfw make clean make -DIPFW2 depend (no-op really, just habit) make -DIPFW2 make -DIPFW2 install (this was covered by "make installworld" And similarly for src/lib/libalias. You can add IPFW2=true to make.conf as well and then only the kernel need be updated: options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE options IPFW2 <-- added The only thing I'm curious about is just how far the range functionality goes. Would be nice to extend the following example given: ... ip from 1.2.3.0/24{50,6,27,158} to ... To say: ... ip from 1.2.36.0/22{36.1,37.2,38.3,39.4} to ... And if ranges could be used such as 36.1-10 with such a rule. ... ip from 1.2.36.0/22{36.10-19,37.20-29,38.30-39,39.40-49} to ... Might be wishful thinking. Have CC'd Luigi to find out. cheers! Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message