From owner-freebsd-questions@FreeBSD.ORG Mon Nov 28 10:03:54 2005 Return-Path: X-Original-To: questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 847B216A41F for ; Mon, 28 Nov 2005 10:03:54 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (imap.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A498843D72 for ; Mon, 28 Nov 2005 10:03:50 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [127.0.0.1] (localhost [127.0.0.1]) by smtp.infracaninophile.co.uk (8.13.4/8.13.4) with ESMTP id jAQMIxDZ019870; Sat, 26 Nov 2005 22:19:00 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4388DF08.9040106@infracaninophile.co.uk> Date: Sat, 26 Nov 2005 22:17:44 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051119) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Edwards References: <536B393F-0E66-4B10-89A7-E0D4D82C87D7@antsclimbtree.com> <44sltjphda.fsf@be-well.ilk.org> <9EDDDA9A-47A5-4B70-A1E5-6DADA46A8B91@antsclimbtree.com> In-Reply-To: <9EDDDA9A-47A5-4B70-A1E5-6DADA46A8B91@antsclimbtree.com> X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig58B1961704ED22B370E96E0F" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [127.0.0.1]); Sat, 26 Nov 2005 22:19:00 +0000 (GMT) X-Virus-Scanned: ClamAV 0.87.1/1195/Fri Nov 25 09:29:55 2005 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.1 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on happy-idiot-talk.infracaninophile.co.uk Cc: questions@FreeBSD.ORG Subject: Re: verrevpath -- ipfw: unknown argument ``not'' X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 10:03:54 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig58B1961704ED22B370E96E0F Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mark Edwards wrote: > On Nov 26, 2005, at 7:18 AM, Lowell Gilbert wrote: > >> Mark Edwards writes: >> >>> I am trying to implement the verrevpath suggestion in the ipfw man >>> page, as follows: >>> >>>> The verrevpath option could be used to do automated anti- >>>> spoofing by >>>> adding the following to the top of a ruleset: >>>> >>>> ipfw add deny ip from any to any not verrevpath in >>> >>> >>> However, when I try to add the rule, I get an error: >>> >>>> lilbuddy:~ paimin$ ipfw add deny ip from any to any not verrevpath in >>>> ipfw: unknown argument ``not'' >>> >>> >>> Can someone tell what is causing this syntax to fail? Thanks! >> >> >> Works fine for me right now on -STABLE (RELENG_6). >> You didn't mention what you were running, so there's not much else we >> can tell you. > > > Sorry, I am running 4.11, and nothing weird that I know of that would > affect ipfw operation. > > I found a posting via google from someone with the same question, and > then he replied to himself that reading the man page had given him the > answer, but he didn't say what that answer was. Tried to email him, > but it bounced because my mail gateway doesn't have an SPF record so > his server rejected my mail (even though my server DOES have an SPF > record -- ugh). IPFW can be compiled with a bunch of extra goodies under FreeBSD 4.x -- as I remember, this includes the syntactic bits like 'not' and probably the reverse path stuff too. To do this you need: IPFW2=true in /etc/make.conf and options IPFW2 in your kernel config. Then do the whole {build,install}{kernel,world} thing to enable that. Under 4.x this effectively upgrades you to the same version of IPFW which is standard in 5.x or above. The upgrade was not made the default in 4.x because it isn't entirely backwards compatible, and for POLA reasons, the FreeBSD project forbids changing kernel ABIs and so breaking systems on a routine update within the same major version number. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig58B1961704ED22B370E96E0F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQCVAwUBQ4jfCJr7OpndfbmCAQhplAQA3LR2N7aHWzJ38OFMBnzs4k+JsjPw2XIr mjOkBxgtg/ScxIjUQRotMCIspdV0hbbUuXqLqgrRGWM+hGSVGevjjXqYawFisWDf 19KUYct5OWTcE28eXi7TTZ5bJyS/4wGf0mqpGnXUtTfd0h4KO9s+TbdLeO0fJWCi 1+DIDzP+GM0= =mW+X -----END PGP SIGNATURE----- --------------enig58B1961704ED22B370E96E0F--