Date: Sat, 31 Aug 2002 23:19:49 -0400 (EDT) From: Kenneth W Cochran <kwc@TheWorld.com> To: freebsd-stable@freebsd.org Subject: Re: IPFW2 option in -stable kernel config Message-ID: <200209010319.XAA115050408@shell.TheWorld.com>
next in thread | raw e-mail | index | archive | help
sorry... botched -cc
>Date: Sat, 31 Aug 2002 12:15:33 -0500
>To: Kenneth W Cochran <kwc@TheWorld.com>
>From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
>Subject: Re: IPFW2 option in -stable kernel config
>Cc: freebsd-stable@FreeBSD.ORG, luigi@FreeBSD.ORG
>
>At 09:12 AM 8/31/02 -0400, Kenneth W Cochran wrote:
>>In reading the notes in the cvs-all & stable lists regarding
>>the IPFW2, it isn't clear (well to me :) how to properly
>>specify the new code. As per the announcement(s), there is,
>>of course, no explanation in LINT either.
>
>Not yet. However, the man page has been updated (8/16 & 8/20).
So I noticed...
>>Are IPFIREWALL & IPFW2 mutually exclusive?
>
>No, I thought the 7/23 commit message was clear on how to use the new
>functionality:
>
> + add "options IPFW2" (undocumented) to your kernel config file;
>
> + compile and install sbin/ipfw and lib/libalias with
> make -DIPFW2
No mention was made of any other firewall options (i.e. if
there was no previous firewall configured) in the kernel
config so I'd been wondering...
>If you look at the source, it's clear why you *must* have both. Perhaps
>the commit should have read:
>
> + add "options IPFW2" (undocumented) to your kernel config file;
> (in addition to IPFIREWALL);
Exactly what I was looking for; thanks!
>>Does IPFW2 "depend on" specification of IPFIREWALL?
>
>Yes.
As above, thanks :)
>>Do options like IPDIVERT, IPFIREWALL_VERBOSE
>>& other knobs apply to IPFIREWALL as well?
>
>Yes ^ 3+n
Oops, guess I should have said IPFW2 instead of IPFIREWALL,
but I'll take that as a yes as well? :)
>>In looking over the kernel source(s), it appears that IPFW2
>>might "trump" IPFIREWALL & therefore IPFIREWALL becomes a
>>"don't care" if IPFW2 is specified. Is this correct?
>
>No. UTSL
... going back to UTS/RTFS... :)
>In the process of redoing one system for testing I installed 4.6R using a
>faster system to build world and (after updating other systems) while it
>was NFS mounted recompiled ipfw and libalias:
>
>cd src/sbin/ipfw
>make clean
>make -DIPFW2 depend (no-op really, just habit)
>make -DIPFW2
>make -DIPFW2 install (this was covered by "make installworld"
>
>And similarly for src/lib/libalias. You can add IPFW2=true to make.conf as
>well and then only the kernel need be updated:
>
>options IPFIREWALL
>options IPDIVERT
>options IPFIREWALL_VERBOSE
>options IPFW2 <-- added
Does this mean that I can put IPFW2=TRUE in /etc/make.conf and
{build,install}world will properly build the new userland code
without "manually" doing them by -DIPFW2 as above?
(I think so, but I would like to hear from someone who
knows this code better than I (aka The Word From On High :)).
[...snip...]
>cheers!
>
>Jeff Mountin - jeff@mountin.net
>Systems/Network Administrator
>FreeBSD - the power to serve
Thanks! I think this is/was the info I was looking for.
-kc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209010319.XAA115050408>