On Sat, 16 Apr 2011, rondzie...@comcast.net wrote: > After the firewall rules are loaded, the rc script then loads natd, > Once the system is up, i can ipfw list and the divert command is, > in fact, not there, but by this time natd is running. If I run the > rc.firewall > script interactively, it completes successfully and the divert rule > is in the list, and everyone is happy again.
There are several outstanding PRs about this and related issues; copying hrs@ who grabbed these PRs a while ago. The quick fix is to add ipdivert_load="YES" to /boot/loader.conf so it's there before ipfw & natd start. You still need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf > In 4.9 there used to be a rc.network script that started natd before > it loaded the firewall rules. I do not see it in 8.2 anymore, instead > it looks like rc simply runs the scripts in rc.d alphabetically, so natd > comes after ipfw. Not alphabetically but according to rcorder(8). /etc/rc.d/natd has keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but as you've seen, ipfw's attempt to install divert rule(s) fails for want of ipdivert.ko - which /etc/rc.d/natd does load, but too late. > I can't believe i'm the only one using ipfw and natd with 8.2, so it > seems to me that i just don't know the secret handshake that will > make it work. In 4.x you had to build ipfw into kernel; lots of changes since :) cheers, Ian _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"