Re: Problems with in the ipf setup in an FreeBSD 4.7 router
Hi Giorgos, First of all I have to admit that basically you are right. I *must* avoid changing the xxx_program settings and it does not seem reasonable (in FreeBSD 4.7) to include the flags into the xxx_program settings. Flags should be into the xxx_flags settings. But my old router was an FreeBSD 4.2 - RELEASE box and I just wanted to change it to FreeBSD 4.7 - RELEASE for security reasons. I was under the impression that my old rc.conf file should work ok with the new system and I tried to reuse it (Big Mistake!). Unfortunately the rc.network file of the FreeBSD 4.7 - RELEASE is working differently now, and the ipfilter_program setting is not being used the same way like it was back in FreeBSD 4.2 - RELEASE: rc.network of FreeBSD 4.2 - RELEASE: ... ${ipfilter_program:-ipf -Fa -f} ${ipfilter_rules} ${ipfilter_flags} ... rc.network of FreeBSD 4.7 - RELEASE: ... ${ipfilter_program:-/sbin/ipf} -Fa -f ${ipfilter_rules} ${ipfilter_flags} ... In other words [ipfilter_program=/sbin/ipf -Fa -f] was the correct setting for the FreeBSD 4.2 - RELEASE but it is incorrect for the FreeBSD 4.7 - RELEASE. My *big* mistake was that that changing the ipfilter_program setting was not really necessary for me. I should left it to its default value! Well I am wiser now thanks to this list, thank you very much! Regards, Jim Xochellis Escape Information Services Giorgos Keramidas wrote: ipfilter_flags= The problem is that, when I boot, ipf does not work. It seems like is not using the rules. Don't change ipfilter_program if you don't have a *very* good reason for doing so: $ grep ipfilter_program /etc/defaults/rc.conf ipfilter_program=/sbin/ipf# where the ipfilter program lives Before you change one of the xxx_program options in rc.conf you should make sure that you understand what this change will affect, by looking at the /etc/rc* scripts: $ grep -l ipfilter_program /etc/rc* rc.network $ grep ipfilter_program /etc/rc.network ${ipfilter_program:-/sbin/ipf} -Fa ${ipfilter_program:-/sbin/ipf} \ ${ipfilter_program:-/sbin/ipf} -6 \ ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} /dev/null By setting ipfilter_program to /sbin/ipf -Fa -f, that first line of rc.network became: /sbin/ipf -Fa -f -Fa which doesn't work. Similarly, the -f option at the end of your ipfilter_program value broke all the rest of the ipf commands in /etc/rc.network. Delete the ipfilter_program line from your rc.conf and the default will work fine. Here's what I have in my rc.conf for ipfilter and ipmon: $ grep '^ip[fm]' /etc/rc.conf ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipmon_enable=YES ipmon_flags=-D -s -o I - Giorgos To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Problems with in the ipf setup in an FreeBSD 4.7 router
Hi List, I have a FreeBSD 4.7(i386) Release router I am trying to make it run with the ipf firewall on. I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ... ipfilter_enable=YES ipfilter_program=/sbin/ipf -Fa -f ipfilter_rules=/etc/ipf.rules ipfilter_flags= ... The problem is that, when I boot, ipf does not work. It seems like is not using the rules. If I enter ipf -Fa -f /etc/ipf.rules from the command line, then it starts working as expected. What do I have to do to make ipf start automatically on boot? Any tips or pointers to manuals will be greatly appreciated. TIA, Jim Xochellis Escape Information Services P.S.Note that I am running with security level set to 2. (I also tried running with security level set to 1 and -1 without any luck.) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
On Friday, 21 February 2003 at 20:08:17 +0200, Jim Xochellis wrote: Hi List, I have a FreeBSD 4.7(i386) Release router I am trying to make it run with the ipf firewall on. I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ... ipfilter_enable=YES ipfilter_program=/sbin/ipf -Fa -f Try removing the above line ipfilter_rules=/etc/ipf.rules ipfilter_flags= ... The problem is that, when I boot, ipf does not work. It seems like is not using the rules. If I enter ipf -Fa -f /etc/ipf.rules from the command line, then it starts working as expected. What do I have to do to make ipf start automatically on boot? Any tips or pointers to manuals will be greatly appreciated. TIA, Jim Xochellis Escape Information Services P.S.Note that I am running with security level set to 2. (I also tried running with security level set to 1 and -1 without any luck.) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
# [EMAIL PROTECTED] / 2003-02-21 20:08:17 +0200: I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ipfilter_enable=YES ipfilter_program=/sbin/ipf -Fa -f ipfilter_rules=/etc/ipf.rules ipfilter_flags= remove the three lines above, leaving only ipfilter_enable=YES in rc.conf. The problem is that, when I boot, ipf does not work. It seems like is not using the rules. If I enter ipf -Fa -f /etc/ipf.rules from the command line, then it starts working as expected. if you look at /etc/rc.network you'll see why: ${ipfilter_program:-/sbin/ipf} -Fa -f \ ${ipfilter_rules} ${ipfilter_flags} your settings make it: /sbin/ipf -Fa -f -Fa -f /etc/ipf.rules -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
On 2003-02-21 20:08, Jim Xochellis [EMAIL PROTECTED] wrote: I have a FreeBSD 4.7(i386) Release router I am trying to make it run with the ipf firewall on. I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ipfilter_enable=YES ipfilter_program=/sbin/ipf -Fa -f ipfilter_rules=/etc/ipf.rules ipfilter_flags= The problem is that, when I boot, ipf does not work. It seems like is not using the rules. Don't change ipfilter_program if you don't have a *very* good reason for doing so: $ grep ipfilter_program /etc/defaults/rc.conf ipfilter_program=/sbin/ipf# where the ipfilter program lives Before you change one of the xxx_program options in rc.conf you should make sure that you understand what this change will affect, by looking at the /etc/rc* scripts: $ grep -l ipfilter_program /etc/rc* rc.network $ grep ipfilter_program /etc/rc.network ${ipfilter_program:-/sbin/ipf} -Fa ${ipfilter_program:-/sbin/ipf} \ ${ipfilter_program:-/sbin/ipf} -6 \ ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} /dev/null By setting ipfilter_program to /sbin/ipf -Fa -f, that first line of rc.network became: /sbin/ipf -Fa -f -Fa which doesn't work. Similarly, the -f option at the end of your ipfilter_program value broke all the rest of the ipf commands in /etc/rc.network. Delete the ipfilter_program line from your rc.conf and the default will work fine. Here's what I have in my rc.conf for ipfilter and ipmon: $ grep '^ip[fm]' /etc/rc.conf ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipmon_enable=YES ipmon_flags=-D -s -o I - Giorgos To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message