From owner-freebsd-net@FreeBSD.ORG Sat Apr 16 18:14:51 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2435106564A for ; Sat, 16 Apr 2011 18:14:50 +0000 (UTC) (envelope-from rondzierwa@comcast.net) Received: from QMTA11.westchester.pa.mail.comcast.net (qmta11.westchester.pa.mail.comcast.net [76.96.59.211]) by mx1.freebsd.org (Postfix) with ESMTP id A1CB68FC18 for ; Sat, 16 Apr 2011 18:14:50 +0000 (UTC) Received: from omta05.westchester.pa.mail.comcast.net ([76.96.62.43]) by QMTA11.westchester.pa.mail.comcast.net with comcast id YHxh1g0080vyq2s5BJ1c1i; Sat, 16 Apr 2011 18:01:36 +0000 Received: from sz0128.wc.mail.comcast.net ([76.96.58.192]) by omta05.westchester.pa.mail.comcast.net with comcast id YJ1b1g00948qnZY3RJ1bBT; Sat, 16 Apr 2011 18:01:35 +0000 Date: Sat, 16 Apr 2011 18:01:35 +0000 (UTC) From: rondzierwa@comcast.net To: freebsd-net@freebsd.org Message-ID: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> In-Reply-To: <20110416120032.CD03910656B3@hub.freebsd.org> MIME-Version: 1.0 X-Originating-IP: [68.50.136.212] X-Mailer: Zimbra 6.0.5_GA_2431.RHEL5_64 (ZimbraWebClient - FF3.0 (Win)/6.0.5_GA_2427.RHEL4) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: natd starting after firewall rules are loaded X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Apr 2011 18:14:51 -0000 I am upgrading my firewall/router/web server machine from 4.9 to 8.2 release an am having problems with ipfw/natd. I made basically the same defs in rc.conf to enable the firewall and natd but I get an error during rc.firewall on the divert command saying something about an error on the divert socket. The natd socket number is being translated properly (8668) because i can see the command echoed on the console. After the firewall rules are loaded, the rc script then loads natd, Once the system is up, i can ipfw list and the divert command is, in fact, not there, but by this time natd is running. If I run the rc.firewall script interactively, it completes successfully and the divert rule is in the list, and everyone is happy again. In 4.9 there used to be a rc.network script that started natd before it loaded the firewall rules. I do not see it in 8.2 anymore, instead it looks like rc simply runs the scripts in rc.d alphabetically, so natd comes after ipfw. I can't believe i'm the only one using ipfw and natd with 8.2, so it seems to me that i just don't know the secret handshake that will make it work. does anybody have any suggestions? thanks, ron.