From owner-freebsd-net@FreeBSD.ORG Sun Apr 17 05:36:49 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28EA0106566B for ; Sun, 17 Apr 2011 05:36:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 6EB998FC15 for ; Sun, 17 Apr 2011 05:36:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p3H5ae6A045530; Sun, 17 Apr 2011 15:36:41 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 17 Apr 2011 15:36:40 +1000 (EST) From: Ian Smith To: rondzierwa@comcast.net In-Reply-To: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> Message-ID: <20110417150456.J35056@sola.nimnet.asn.au> References: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org, hrs@freebsd.org Subject: Re: natd starting after firewall rules are loaded X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2011 05:36:49 -0000 On Sat, 16 Apr 2011, rondzierwa@comcast.net wrote: > After the firewall rules are loaded, the rc script then loads natd, > Once the system is up, i can ipfw list and the divert command is, > in fact, not there, but by this time natd is running. If I run the rc.firewall > script interactively, it completes successfully and the divert rule > is in the list, and everyone is happy again. There are several outstanding PRs about this and related issues; copying hrs@ who grabbed these PRs a while ago. The quick fix is to add ipdivert_load="YES" to /boot/loader.conf so it's there before ipfw & natd start. You still need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf > In 4.9 there used to be a rc.network script that started natd before > it loaded the firewall rules. I do not see it in 8.2 anymore, instead > it looks like rc simply runs the scripts in rc.d alphabetically, so natd > comes after ipfw. Not alphabetically but according to rcorder(8). /etc/rc.d/natd has keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but as you've seen, ipfw's attempt to install divert rule(s) fails for want of ipdivert.ko - which /etc/rc.d/natd does load, but too late. > I can't believe i'm the only one using ipfw and natd with 8.2, so it > seems to me that i just don't know the secret handshake that will > make it work. In 4.x you had to build ipfw into kernel; lots of changes since :) cheers, Ian