Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Feb 2003 22:58:18 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Jim Xochellis <dxoch@escape.gr>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Problems with in the ipf setup in an FreeBSD 4.7 router
Message-ID:  <20030221205818.GD70911@gothmog.gr>
In-Reply-To: <3E566B12.5DEE5B21@escape.gr>
References:  <3E566B12.5DEE5B21@escape.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2003-02-21 20:08, Jim Xochellis <dxoch@escape.gr> wrote:
> I have a FreeBSD 4.7(i386) Release router I am trying to make it run
> with the ipf firewall on.
>
> I have compiled and installed a new kernel with ipf support and then I
> put the following lines inside my rc.conf file:
>
> ipfilter_enable="YES"
> ipfilter_program="/sbin/ipf -Fa -f"
> ipfilter_rules="/etc/ipf.rules"
> ipfilter_flags=""
>
> The problem is that, when I boot, ipf does not work. It seems like is
> not using the rules.

Don't change ipfilter_program if you don't have a *very* good reason
for doing so:

    $ grep ipfilter_program /etc/defaults/rc.conf
    ipfilter_program="/sbin/ipf"    # where the ipfilter program lives

Before you change one of the xxx_program options in rc.conf you should
make sure that you understand what this change will affect, by looking
at the /etc/rc* scripts:

    $ grep -l ipfilter_program /etc/rc*
    rc.network
    $ grep ipfilter_program /etc/rc.network
                                    ${ipfilter_program:-/sbin/ipf} -Fa
                                            ${ipfilter_program:-/sbin/ipf} \
                                            ${ipfilter_program:-/sbin/ipf} -6 \
                    ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null

By setting ipfilter_program to "/sbin/ipf -Fa -f", that first line of
rc.network became:

    /sbin/ipf -Fa -f -Fa

which doesn't work.  Similarly, the -f option at the end of your
ipfilter_program value broke all the rest of the ipf commands in
/etc/rc.network.  Delete the ipfilter_program line from your rc.conf
and the default will work fine.

Here's what I have in my rc.conf for ipfilter and ipmon:

    $ grep '^ip[fm]' /etc/rc.conf
    ipfilter_enable="YES"
    ipfilter_rules="/etc/ipf.rules"
    ipmon_enable="YES"
    ipmon_flags="-D -s -o I"

- Giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030221205818.GD70911>