Date: Mon, 17 May 2004 14:32:15 +0200 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org, Barbish3@adelphia.net Cc: Micheal Patterson <micheal@tsgincorporated.com> Subject: Re: natd -redirect_port Message-ID: <200405171432.38987.4711@chello.at> In-Reply-To: <MIEPLLIBMLEEABPDBIEGGEDIFOAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGGEDIFOAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_mDLqAWaggEpQmf0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 15 May 2004 18:56, JJB wrote: > You are wrong also. The boot time message that displays about the > ipfw module being loaded is incorrect. I filed an PR on that in 5.1 > and was told by developers that message is misleading, that the > module is fully enabled with nat and logging, so I tested and indeed > nat and logging is really in the loadable module. It's my > understanding the boot time message that displays about the ipfw > module being loaded that says everything is disabled will be > corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. > My advice is to test ipfw module before adding ipfw option > statements to kernel. That's why the 5.x versions are development > versions, things change all the time until that get corrected before > be coming stable releases. This is all new because ipfw2 replaced > ipfw at the 5.1 version I believe. Just think about it, why have an > loadable module if all the options are turned off, it makes the > module useless. Ipfilter's loadable module is full function with > nat and logging why should the ipfw module be any different? It's > just that stupid message that has been misleading users all this > time just like it did to me. If nat and logging is missing from the > ipfw loadable module in 5.2.1 then submit another PR to remind then > it needs to be corrected. Nat and logging are the most used options > of ipfw, it's just plain stupid not to have then included in the > standard module. If a user wants ipfw to issue the correct initial divert message, it's stil= l=20 required to compile ipfw into the kernel. This means 'option IPFIREWALL' is= =20 required as stated in the natd manual.=20 Actually on 5.2-current the ipfw module doesn't know if the kernel has been= =20 compiled with ipdivert proto. This causes the wrong 'divert disabled' initi= al=20 message.=20 =20 I will file a PR on the wrong initial divert message issue tomorrow. If the= =20 ipdivert proto capability could be retrieved via divcb sysctl or any other= =20 mechanism, it might become possible that the ipfw kld could issue the corre= ct=20 divert message. =20 Disabling of the divert message in case the ipfw has been compiled as kld=20 could be a simpler solution. > > -----Original Message----- > From: Micheal Patterson [mailto:micheal@tsgincorporated.com] > Sent: Saturday, May 15, 2004 11:38 AM > To: Barbish3@adelphia.net; Christian Hiris; > freebsd-questions@freebsd.org > Cc: Anthony Philipp > Subject: Re: natd -redirect_port > > > ----- Original Message ----- > From: "JJB" <Barbish3@adelphia.net> > To: "Christian Hiris" <4711@chello.at>; > <freebsd-questions@freebsd.org> > Cc: "Anthony Philipp" <philipp1@itg.uiuc.edu> > Sent: Saturday, May 15, 2004 8:05 AM > Subject: RE: natd -redirect_port > > > You are wrong, you do not have to compile ipfirewall kernel > > options > > > into the kernel. > > IPFW is delivered as an bootable module. > > You need this in rc.conf to enable ipfw, it will auto load the > > bootable module. > > > > # Required For IPFW kernel firewall support > > firewall_enable=3D"YES" # Start daemon > > firewall_script=3D"/etc/ipfw.rules" # run my custom rules > > firewall_logging=3D"YES" # Enable events logging > > > > natd_enable=3D"YES" # Enable IPFW nat function > > natd_interface=3D"rl0" > > natd_flags=3D"-dynamic -m -u -f /etc/natd.conf" > > You're right, you don't have to recompile to use ipfw, however, > since there > is no divert module, the kernel will still need to be recompiled to > enable > divert. In order for the OP to do what they're wanting to do they > will still > need to recompile kernel and restart the system. > > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any > attachments, is > for the sole use of the intended recipient(s) and may contain > confidential > and privileged information. Any unauthorized review, use, disclosure > or > distribution is prohibited. If you are not the intended recipient, > please > contact the sender by reply e-mail and destroy all copies of the > original > message. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_mDLqAWaggEpQmf0 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAqLDmcyi/EZQbawsRAsWyAKCxMPR3SZ8Q47oWVctTqptIXRW1gwCgkxOK eufewwVQCl0fAbCiZ1LMPtA= =bej3 -----END PGP SIGNATURE----- --Boundary-02=_mDLqAWaggEpQmf0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405171432.38987.4711>