Re: Problems with in the ipf setup in an FreeBSD 4.7 router
Hi Giorgos,
First of all I have to admit that basically you are right. I *must*
avoid changing the xxx_program settings and it does not seem reasonable
(in FreeBSD 4.7) to include the flags into the xxx_program settings.
Flags should be into the xxx_flags settings.
But my old router was an FreeBSD 4.2 - RELEASE box and I just wanted to
change it to FreeBSD 4.7 - RELEASE for security reasons. I was under the
impression that my old rc.conf file should work ok with the new system
and I tried to reuse it (Big Mistake!).
Unfortunately the rc.network file of the FreeBSD 4.7 - RELEASE is
working differently now, and the ipfilter_program setting is not being
used the same way like it was back in FreeBSD 4.2 - RELEASE:
rc.network of FreeBSD 4.2 - RELEASE:
...
${ipfilter_program:-ipf -Fa -f} ${ipfilter_rules} ${ipfilter_flags}
...
rc.network of FreeBSD 4.7 - RELEASE:
...
${ipfilter_program:-/sbin/ipf} -Fa -f ${ipfilter_rules} ${ipfilter_flags}
...
In other words [ipfilter_program=/sbin/ipf -Fa -f] was the correct
setting for the FreeBSD 4.2 - RELEASE but it is incorrect for the
FreeBSD 4.7 - RELEASE. My *big* mistake was that that changing the
ipfilter_program setting was not really necessary for me. I should left
it to its default value! Well I am wiser now thanks to this list, thank
you very much!
Regards,
Jim Xochellis
Escape Information Services
Giorgos Keramidas wrote:
ipfilter_flags=
The problem is that, when I boot, ipf does not work. It seems like is
not using the rules.
Don't change ipfilter_program if you don't have a *very* good reason
for doing so:
$ grep ipfilter_program /etc/defaults/rc.conf
ipfilter_program=/sbin/ipf# where the ipfilter program lives
Before you change one of the xxx_program options in rc.conf you should
make sure that you understand what this change will affect, by looking
at the /etc/rc* scripts:
$ grep -l ipfilter_program /etc/rc*
rc.network
$ grep ipfilter_program /etc/rc.network
${ipfilter_program:-/sbin/ipf} -Fa
${ipfilter_program:-/sbin/ipf} \
${ipfilter_program:-/sbin/ipf} -6 \
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} /dev/null
By setting ipfilter_program to /sbin/ipf -Fa -f, that first line of
rc.network became:
/sbin/ipf -Fa -f -Fa
which doesn't work. Similarly, the -f option at the end of your
ipfilter_program value broke all the rest of the ipf commands in
/etc/rc.network. Delete the ipfilter_program line from your rc.conf
and the default will work fine.
Here's what I have in my rc.conf for ipfilter and ipmon:
$ grep '^ip[fm]' /etc/rc.conf
ipfilter_enable=YES
ipfilter_rules=/etc/ipf.rules
ipmon_enable=YES
ipmon_flags=-D -s -o I
- Giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Problems with in the ipf setup in an FreeBSD 4.7 router
Hi List, I have a FreeBSD 4.7(i386) Release router I am trying to make it run with the ipf firewall on. I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ... ipfilter_enable=YES ipfilter_program=/sbin/ipf -Fa -f ipfilter_rules=/etc/ipf.rules ipfilter_flags= ... The problem is that, when I boot, ipf does not work. It seems like is not using the rules. If I enter ipf -Fa -f /etc/ipf.rules from the command line, then it starts working as expected. What do I have to do to make ipf start automatically on boot? Any tips or pointers to manuals will be greatly appreciated. TIA, Jim Xochellis Escape Information Services P.S.Note that I am running with security level set to 2. (I also tried running with security level set to 1 and -1 without any luck.) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
On Friday, 21 February 2003 at 20:08:17 +0200, Jim Xochellis wrote: Hi List, I have a FreeBSD 4.7(i386) Release router I am trying to make it run with the ipf firewall on. I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ... ipfilter_enable=YES ipfilter_program=/sbin/ipf -Fa -f Try removing the above line ipfilter_rules=/etc/ipf.rules ipfilter_flags= ... The problem is that, when I boot, ipf does not work. It seems like is not using the rules. If I enter ipf -Fa -f /etc/ipf.rules from the command line, then it starts working as expected. What do I have to do to make ipf start automatically on boot? Any tips or pointers to manuals will be greatly appreciated. TIA, Jim Xochellis Escape Information Services P.S.Note that I am running with security level set to 2. (I also tried running with security level set to 1 and -1 without any luck.) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
# [EMAIL PROTECTED] / 2003-02-21 20:08:17 +0200:
I have compiled and installed a new kernel with ipf support and then I
put the following lines inside my rc.conf file:
ipfilter_enable=YES
ipfilter_program=/sbin/ipf -Fa -f
ipfilter_rules=/etc/ipf.rules
ipfilter_flags=
remove the three lines above, leaving only ipfilter_enable=YES
in rc.conf.
The problem is that, when I boot, ipf does not work. It seems like is
not using the rules.
If I enter ipf -Fa -f /etc/ipf.rules from the command line, then it
starts working as expected.
if you look at /etc/rc.network you'll see why:
${ipfilter_program:-/sbin/ipf} -Fa -f \
${ipfilter_rules} ${ipfilter_flags}
your settings make it:
/sbin/ipf -Fa -f -Fa -f /etc/ipf.rules
--
If you cc me or remove the list(s) completely I'll most likely ignore
your message.see http://www.eyrie.org./~eagle/faqs/questions.html
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
On 2003-02-21 20:08, Jim Xochellis [EMAIL PROTECTED] wrote:
I have a FreeBSD 4.7(i386) Release router I am trying to make it run
with the ipf firewall on.
I have compiled and installed a new kernel with ipf support and then I
put the following lines inside my rc.conf file:
ipfilter_enable=YES
ipfilter_program=/sbin/ipf -Fa -f
ipfilter_rules=/etc/ipf.rules
ipfilter_flags=
The problem is that, when I boot, ipf does not work. It seems like is
not using the rules.
Don't change ipfilter_program if you don't have a *very* good reason
for doing so:
$ grep ipfilter_program /etc/defaults/rc.conf
ipfilter_program=/sbin/ipf# where the ipfilter program lives
Before you change one of the xxx_program options in rc.conf you should
make sure that you understand what this change will affect, by looking
at the /etc/rc* scripts:
$ grep -l ipfilter_program /etc/rc*
rc.network
$ grep ipfilter_program /etc/rc.network
${ipfilter_program:-/sbin/ipf} -Fa
${ipfilter_program:-/sbin/ipf} \
${ipfilter_program:-/sbin/ipf} -6 \
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} /dev/null
By setting ipfilter_program to /sbin/ipf -Fa -f, that first line of
rc.network became:
/sbin/ipf -Fa -f -Fa
which doesn't work. Similarly, the -f option at the end of your
ipfilter_program value broke all the rest of the ipf commands in
/etc/rc.network. Delete the ipfilter_program line from your rc.conf
and the default will work fine.
Here's what I have in my rc.conf for ipfilter and ipmon:
$ grep '^ip[fm]' /etc/rc.conf
ipfilter_enable=YES
ipfilter_rules=/etc/ipf.rules
ipmon_enable=YES
ipmon_flags=-D -s -o I
- Giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
