From owner-freebsd-questions Fri Feb 21 17:37:51 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 344FA37B401 for ; Fri, 21 Feb 2003 17:37:49 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1DDF43FDD for ; Fri, 21 Feb 2003 17:37:47 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr364-a26.otenet.gr [195.167.109.58]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id h1M1bh2O026790; Sat, 22 Feb 2003 03:37:44 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.7/8.12.7) with ESMTP id h1M1XSO0018776; Sat, 22 Feb 2003 03:36:39 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.7/8.12.7/Submit) id h1LKwIHN078320; Fri, 21 Feb 2003 22:58:18 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 21 Feb 2003 22:58:18 +0200 From: Giorgos Keramidas To: Jim Xochellis Cc: freebsd-questions@freebsd.org Subject: Re: Problems with in the ipf setup in an FreeBSD 4.7 router Message-ID: <20030221205818.GD70911@gothmog.gr> References: <3E566B12.5DEE5B21@escape.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E566B12.5DEE5B21@escape.gr> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2003-02-21 20:08, Jim Xochellis wrote: > I have a FreeBSD 4.7(i386) Release router I am trying to make it run > with the ipf firewall on. > > I have compiled and installed a new kernel with ipf support and then I > put the following lines inside my rc.conf file: > > ipfilter_enable="YES" > ipfilter_program="/sbin/ipf -Fa -f" > ipfilter_rules="/etc/ipf.rules" > ipfilter_flags="" > > The problem is that, when I boot, ipf does not work. It seems like is > not using the rules. Don't change ipfilter_program if you don't have a *very* good reason for doing so: $ grep ipfilter_program /etc/defaults/rc.conf ipfilter_program="/sbin/ipf" # where the ipfilter program lives Before you change one of the xxx_program options in rc.conf you should make sure that you understand what this change will affect, by looking at the /etc/rc* scripts: $ grep -l ipfilter_program /etc/rc* rc.network $ grep ipfilter_program /etc/rc.network ${ipfilter_program:-/sbin/ipf} -Fa ${ipfilter_program:-/sbin/ipf} \ ${ipfilter_program:-/sbin/ipf} -6 \ ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null By setting ipfilter_program to "/sbin/ipf -Fa -f", that first line of rc.network became: /sbin/ipf -Fa -f -Fa which doesn't work. Similarly, the -f option at the end of your ipfilter_program value broke all the rest of the ipf commands in /etc/rc.network. Delete the ipfilter_program line from your rc.conf and the default will work fine. Here's what I have in my rc.conf for ipfilter and ipmon: $ grep '^ip[fm]' /etc/rc.conf ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-D -s -o I" - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message