Date: Wed, 14 Mar 2001 20:35:20 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: stable@FreeBSD.ORG Subject: Re: /etc/default/rc.conf bad default ipfilter_flags? Message-ID: <20010314203520.Y20830@speedy.gsinet> In-Reply-To: <20010314113640.741AF1140FC@netcom1.netcom.com>; from mvh@ix.netcom.com on Wed, Mar 14, 2001 at 03:36:40AM -0800 References: <Pine.GSO.4.30.0103132009500.28627-100000@nova.fnal.gov> <20010314113640.741AF1140FC@netcom1.netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 14, 2001 at 03:36 -0800, Mike Harding wrote:
>
> I can confirm that the "-E" seems to be unecessary for both
> kernel and kernel module loads.
I'm "guilty" of having provided this default setting (see PR
conf/20202). :) It's because I tried the OpenBSD invocation (and
what I got from the excellent "IPFilter HowTo") in FreeBSD, too.
Admittedly I never tried anything else than compiling ipf(4) into
the kernel. And I honestly assume a module loaded by the loader
(i.e. before / together with the kernel) to be more of an
integral part of the kernel than a module loaded much later after
having run for some time without the additional functionality.
I'm not 100% positive what the -E switch does to the ipf(8)
command. If it makes it load the module at all, that's of course
a problem when the functionality is already active. "man 8 ipf"
tells me:
-E Enable the filter (if disabled). Not effective for
loadable kernel versions.
so I guess it's about having pass as the default action? Or is
it the opposite of temporarily issuing "ipf -D" for whatever
reason?
To summarize: I don't know. And as discussed (in quite some
detail) in "man 5 rc.conf" I don't care about ipf(4) being a
module. :> Just state when you're sure ipfilter_flags could
always be empty and file a PR to have the default corrected ...
> I can also confirm that ppp does not play well with ipfilter
> because ipfilter needs a 'ipf -y' to pick up the dynamically
> configured interfaces - it's set up before these interfaces
> exist, so that any rules applying to them don't work! I stick
> a 'ipf -y' near the end of pass 1 in /etc/rc.network but this
> is my local hack.
Are you referring to conf/22859? There's a followup by me
discussing three methods of avoiding the problem. One of them
being really easy to apply: it's the "ipf -y" you state. The PR
got assigned to darrenr, just ask him kindly to commit the three
line extension. But yet I feel that ppp users usually have an
"ipf -y" in their /etc/ppp/ppp.link{up,down} anyway ...
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314203520.Y20830>