Date: Tue, 10 Aug 2004 15:16:14 -0700 (PDT) From: "Dave Patterson" <dave@rocsculptr.net> To: freebsd-questions@freebsd.org Subject: RE: Problem: ipf - /dev/kmem errors Message-ID: <1325.128.115.254.31.1092176174.squirrel@www.rocsculptr.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGEENNGIAA.fbsd_user@a1poweruser.com> References: <1510.128.115.254.31.1092169421.squirrel@www.rocsculptr.net> <MIEPLLIBMLEEABPDBIEGEENNGIAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> owner-freebsd-questions@freebsd.org wrote:
>> Hello everyone,
>>
>> I'm currently using a generic pc running, that is acting as a
> router.
>> The routing works fine, but ipfilter does not.
>> Pentium III (801.82-MHz 686-class CPU)
>> memory = (128 MB)
>>
>> 5.2-CURRENT #1
>>
>> here is part of my kernel config file :
>>> --snip--<
>> # IPF stuff
>> options PFIL_HOOKS # pfil(9) framework
>> options IPFILTER
>> options IPFILTER_LOG
>> options INVARIANTS #Enable calls of extra
> sanity
>> checking
>>> --snip--<
>>
>> the kernel seems to load the module {from dmesg}
>> IP Filter: v3.4.35 initialized. Default = pass all, Logging =
> enabled
>>
>> yet when I try and verify which rulesets are loaded, I get kmem
>> errors.
>>
>> # ipfstat
>> ioctl(SIOCGETFS): Invalid argument
>> openkmem:open: No such file or directory
>>
>>
>>
>> I did read that in 5.x /dev/kmem was changed/removed for security,
> if
>> thats the case what is the facility that ipfilter uses ?
>>
>> thanks for any help,
>> D
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org"
>
> Just because you compiled ipfilter into the kernel does not mean
> that you have enabled it to start.
>
> You need the follow statements in /etc/rc.conf to activate IPF at
> boot time.
>
> ipfilter_enable="YES" # Start ipf firewall
> ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
> # IE: not script file with rules
> in it
>
> ipmon_enable="YES" # Start IP monitor log
> ipmon_flags="-Ds" # D = start as daemon
> # s = log to syslog
> # v = log tcp window, ack, seq
> # n = map IP & port to names
>
>
>
> If you have a LAN behind this firewall that uses the reserved
> private IP address ranges, then you need to add the following to
> enable NAT functionality.
>
> gateway_enable="YES" # Enable as LAN gateway
> ipnat_enable="YES" # Start ipnat function
> ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
>
Thanks for the reminder, I neglected to include that in my original email.
I do have the above mentioned options in my /etc/rc.conf:
# ---------- ipf stuff ----------
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf/ipf.conf"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipf/ipnat.conf"
ipmon_enable="YES"
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
# ---------- end ipf stuff ----------
I also checked the kernel to see which modules where loaded currently :
# kldstat -v
Id Refs Address Size Name
1 11 0xc0400000 2f65bc kernel
Contains modules:
Id Name
1 IP Filter: v3.4.35
2 isa/ata
....
...
Im still getting same kmem error tho,
# ipfstat
ioctl(SIOCGETFS): Invalid argument
openkmem:open: No such file or directory
any Idea why I don't have the device /dev/kmem ?
# ls /dev/k*
/dev/kbd0@ /dev/klog
thanks again,
-D
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1325.128.115.254.31.1092176174.squirrel>