Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Aug 2006 03:59:22 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        "J.D. Bronson" <jbronson@wixb.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfilter on 6.1
Message-ID:  <20060827005922.GB4853@gothmog.pc>
In-Reply-To: <7.0.1.0.2.20060826194439.01973050@sixcompanies.com>
References:  <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> <20060826204015.GI1311@gothmog.pc> <7.0.1.0.2.20060826160530.01982d10@sixcompanies.com> <20060826220706.GC2666@gothmog.pc> <7.0.1.0.2.20060826170941.01982d10@sixcompanies.com> <20060826221904.GD2666@gothmog.pc> <7.0.1.0.2.20060826194439.01973050@sixcompanies.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2006-08-26 19:46, "J.D. Bronson" <jbronson@wixb.com> wrote:
> Ok guys...now that I have ipfilter working...I need to run a few
> commands in /etc/ppp/ppp;linkup and cant figure out the syntax...
>
> % cat /etc/ppp/ppp.linkup
>
> # It is no longer necessary to re-add the default route here as our
> MYADDR:
>
> ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.conf"
> ! sh -c "/sbin/ipf -F -f /etc/ipf.conf"
> ! sh -c "/sbin/ipf -Fa -f /etc/ipf.conf"
> ! sh -c "/sbin/ipf -y"

Watch out for that empty line, if it is *REALLY* part of your
`ppp.linkup' script.  Empty lines are section delimiters in ppp(8)
config files.

Thereis also no reason to run ipf _twice_!

Please also note that I don't use "sh -c" to signal ntpd to start/stop
from my ppp.linkup script and it all works fine:

    root@gothmog:/root# cat -n /etc/ppp/ppp.linkup
         1  MYADDR:
         2   ! /etc/rc.d/ntpd start
    root@gothmog:/root#

Maybe the whole sh -c and quoting stuff you are using is not really
passed down to sh(1) but is parsed by ppp(8) when `ppp.linkup' is read?

I am also not sure if it is a good idea to run ``ipnat -CF'' of
``ipf -Fa''.  What about states of existing connections?  If you
momentarily lose the PPP connection, but it then comes up pretty fast,
you are effectively dropping all previous connection information here,
even though it may still be valid and useful.

I'd go for the simpler syntax of:

    MYADDR:
     ! /sbin/ipf -y

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060827005922.GB4853>