Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 31 Dec 2000 09:11:54 -0800
From:      Tom Czarnik <tom@athms.com>
To:        freebsd-security@FreeBSD.ORG
Cc:        echelon <e_chelon@yahoo.com>, Darren Reed <avalon@coombs.anu.edu.au>
Subject:   Re: IPFilter and new rc.conf scripts
Message-ID:  <3A4F68DA.F2C91E78@athms.com>
References:  <20001231071333.14649.qmail@web1002.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> 4) I find out that I have to issue the command "ipf
> -Fa -f /etc/ipf.rules" myself whenever I reboot
> FreeBSD or the rules on tun0 won't work. However, the
> rules on the internal network (group 9000) work as
> expected. No matter I re-issue the command or not
> after reboot.
> 
> This confuses me as rc.conf loads the ipf.rules when
> FreeBSD reboot. Why do I have to issue this command
> again to activate the rules on tun0?

Although IPF hasn't changed version numbers between 4.1R
and 4.2R as displayed by 'ipf -V', something did change
because you must now resync IPF with the interface list.
The man page has changed to reflect this.

In 4.1R the resync was only available on Solaris and IPF
accepted rules for interfaces that had not been present
upon initialization.

With 4.2R, when IPF is first loaded, the tun0 interface
is not present. This also happens if you use any interfaces
as modules (as in my case). I use the following patch to
rc.network.



--- rc.network Fri Dec  8 18:04:44 2000
+++ rc.network.new  Fri Dec  8 20:23:11 2000
@@ -218,7 +218,7 @@

                ppp_command="${ppp_command} ${ppp_profile}"

-               echo -n "Starting ppp as \"${ppp_user}\""
+               echo "Starting ppp as \"${ppp_user}\""
                su -m ${ppp_user} -c "exec ${ppp_command}"
                ;;
        esac
@@ -299,6 +299,12 @@
        #
        if [ -n "${atm_pass1_done}" ]; then
                atm_pass2
+       fi
+
+       #* Resync IP Filter with any new interfaces (modules or tun0).
+       if [ -r "${ipfilter_rules}" ]; then
+               echo -n "IP Filter: "
+               ipf -y
        fi

        # Configure routing


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A4F68DA.F2C91E78>