Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 May 2011 16:46:22 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        KIRIYAMA Kazuhiko <kiri@pis.elm.toba-cmt.ac.jp>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: /etc/rc.d/ipfw can't deal with firewall_type?
Message-ID:  <20110504160556.Q85801@sola.nimnet.asn.au>
In-Reply-To: <201105040140.p441eClM054591@pis.elm.toba-cmt.ac.jp>
References:  <BANLkTik8cAOt1iAP1tOu0EVrRL07uHA8Ng@mail.gmail.com> <201105031543.p43Fh92T041708@pis.elm.toba-cmt.ac.jp> <20110504030404.O85801@sola.nimnet.asn.au> <201105040140.p441eClM054591@pis.elm.toba-cmt.ac.jp>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
 > At Wed, 4 May 2011 03:47:02 +1000 (EST),
 > Ian Smith wrote:
 > > 
 > > On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
 > >  > Hi all,
 > >  > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but
 > >  > all packets could not over nat box. I've researched and found
 > >  > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does
 > >  > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw
 > >  > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is
 > >  > there any problem to do this?
 > > 
 > > Yes.  Assuming using the default firewall_script="/etc/rc.firewall", 
 > > then as it says early in /etc/rc.firewall, you just needed to:
 > > 
 > > 	# Define the firewall type in /etc/rc.conf.  Valid values are:
 > > 	[..]

It's just occured to me that - assuming you are NOT trying to start ipfw 
or natd inside a jail, which won't work - you may well be running into 
another problem related to some PRs/patches hrs@ (cc'd) is reviewing re 
startup order and loading of modules for ipfw and natd.  You mentioned 
running an 'OPEN' firewall which (like any other type) will fail to load 
divert rule/s unless ipdivert.ko is already loaded or built into kernel.

This can be solved meanwhile by either a) adding to /boot/loader.conf:

ipdivert_load="YES"

or b) by applying the following patch to /etc/rc.d/ipfw (on 7.x or 8.x)

cheers, Ian

--- rc.d_ipfw.1.24      Sat Jan  8 18:13:46 2011
+++ ipfw        Sat Jan  8 21:00:18 2011
@@ -27,9 +27,9 @@
	fi

	if checkyesno firewall_nat_enable; then
-		if ! checkyesno natd_enable; then
-			required_modules="$required_modules ipfw_nat"
-		fi
+		required_modules="$required_modules ipfw_nat"
+	elif checkyesno natd_enable; then
+		required_modules="$required_modules ipdivert"
	fi
 }

@@ -105,6 +105,7 @@
 }

 load_rc_config $name
-firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
+checkyesno natd_enable && ! checkyesno firewall_nat_enable && \
+	firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"

 run_rc_command $*

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110504160556.Q85801>