Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Nov 2005 22:17:44 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Mark Edwards <mark@antsclimbtree.com>
Cc:        questions@FreeBSD.ORG
Subject:   Re: verrevpath -- ipfw: unknown argument ``not''
Message-ID:  <4388DF08.9040106@infracaninophile.co.uk>
In-Reply-To: <9EDDDA9A-47A5-4B70-A1E5-6DADA46A8B91@antsclimbtree.com>
References:  <536B393F-0E66-4B10-89A7-E0D4D82C87D7@antsclimbtree.com>	<44sltjphda.fsf@be-well.ilk.org> <9EDDDA9A-47A5-4B70-A1E5-6DADA46A8B91@antsclimbtree.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig58B1961704ED22B370E96E0F
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Mark Edwards wrote:
> On Nov 26, 2005, at 7:18 AM, Lowell Gilbert wrote:
> 
>> Mark Edwards <mark@antsclimbtree.com> writes:
>>
>>> I am trying to implement the verrevpath suggestion in the ipfw man
>>> page, as follows:
>>>
>>>>      The verrevpath option could be used to do automated anti-
>>>> spoofing by
>>>>      adding the following to the top of a ruleset:
>>>>
>>>>            ipfw add deny ip from any to any not verrevpath in
>>>
>>>
>>> However, when I try to add the rule, I get an error:
>>>
>>>> lilbuddy:~ paimin$ ipfw add deny ip from any to any not  verrevpath in
>>>> ipfw: unknown argument ``not''
>>>
>>>
>>> Can someone tell what is causing this syntax to fail?  Thanks!
>>
>>
>> Works fine for me right now on -STABLE (RELENG_6).
>> You didn't mention what you were running, so there's not much else we
>> can tell you.
> 
> 
> Sorry, I am running 4.11, and nothing weird that I know of that would  
> affect ipfw operation.
> 
> I found a posting via google from someone with the same question, and  
> then he replied to himself that reading the man page had given him  the 
> answer, but he didn't say what that answer was.  Tried to email  him, 
> but it bounced because my mail gateway doesn't have an SPF  record so 
> his server rejected my mail (even though my server DOES  have an SPF 
> record -- ugh).

IPFW can be compiled with a bunch of extra goodies under FreeBSD 4.x
-- as I remember, this includes the syntactic bits like 'not' and
probably the reverse path stuff too.  To do this you need:

    IPFW2=true

in /etc/make.conf and 

    options         IPFW2

in your kernel config.  Then do the whole {build,install}{kernel,world}
thing to enable that.

Under 4.x this effectively upgrades you to the same version of IPFW which
is standard in 5.x or above.  The upgrade was not made the default in 4.x
because it isn't entirely backwards compatible, and for POLA reasons, the
FreeBSD project forbids changing kernel ABIs and so breaking systems on a
routine update within the same major version number. 

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

--------------enig58B1961704ED22B370E96E0F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQCVAwUBQ4jfCJr7OpndfbmCAQhplAQA3LR2N7aHWzJ38OFMBnzs4k+JsjPw2XIr
mjOkBxgtg/ScxIjUQRotMCIspdV0hbbUuXqLqgrRGWM+hGSVGevjjXqYawFisWDf
19KUYct5OWTcE28eXi7TTZ5bJyS/4wGf0mqpGnXUtTfd0h4KO9s+TbdLeO0fJWCi
1+DIDzP+GM0=
=mW+X
-----END PGP SIGNATURE-----

--------------enig58B1961704ED22B370E96E0F--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4388DF08.9040106>