Re: Problems with in the ipf setup in an FreeBSD 4.7 router
Hi Giorgos,
First of all I have to admit that basically you are right. I *must*
avoid changing the xxx_program settings and it does not seem reasonable
(in FreeBSD 4.7) to include the flags into the xxx_program settings.
Flags should be into the xxx_flags settings.
But my old router was an FreeBSD 4.2 - RELEASE box and I just wanted to
change it to FreeBSD 4.7 - RELEASE for security reasons. I was under the
impression that my old rc.conf file should work ok with the new system
and I tried to reuse it (Big Mistake!).
Unfortunately the rc.network file of the FreeBSD 4.7 - RELEASE is
working differently now, and the ipfilter_program setting is not being
used the same way like it was back in FreeBSD 4.2 - RELEASE:
rc.network of FreeBSD 4.2 - RELEASE:
...
${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
...
rc.network of FreeBSD 4.7 - RELEASE:
...
${ipfilter_program:-/sbin/ipf} -Fa -f "${ipfilter_rules}" ${ipfilter_flags}
...
In other words [ipfilter_program="/sbin/ipf -Fa -f"] was the correct
setting for the FreeBSD 4.2 - RELEASE but it is incorrect for the
FreeBSD 4.7 - RELEASE. My *big* mistake was that that changing the
ipfilter_program setting was not really necessary for me. I should left
it to its default value! Well I am wiser now thanks to this list, thank
you very much!
Regards,
Jim Xochellis
Escape Information Services
Giorgos Keramidas wrote:
> > ipfilter_flags=""
> >
> > The problem is that, when I boot, ipf does not work. It seems like is
> > not using the rules.
>
> Don't change ipfilter_program if you don't have a *very* good reason
> for doing so:
>
> $ grep ipfilter_program /etc/defaults/rc.conf
> ipfilter_program="/sbin/ipf"# where the ipfilter program lives
>
> Before you change one of the xxx_program options in rc.conf you should
> make sure that you understand what this change will affect, by looking
> at the /etc/rc* scripts:
>
> $ grep -l ipfilter_program /etc/rc*
> rc.network
> $ grep ipfilter_program /etc/rc.network
> ${ipfilter_program:-/sbin/ipf} -Fa
> ${ipfilter_program:-/sbin/ipf} \
> ${ipfilter_program:-/sbin/ipf} -6 \
> ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
>
> By setting ipfilter_program to "/sbin/ipf -Fa -f", that first line of
> rc.network became:
>
> /sbin/ipf -Fa -f -Fa
>
> which doesn't work. Similarly, the -f option at the end of your
> ipfilter_program value broke all the rest of the ipf commands in
> /etc/rc.network. Delete the ipfilter_program line from your rc.conf
> and the default will work fine.
>
> Here's what I have in my rc.conf for ipfilter and ipmon:
>
> $ grep '^ip[fm]' /etc/rc.conf
> ipfilter_enable="YES"
> ipfilter_rules="/etc/ipf.rules"
> ipmon_enable="YES"
> ipmon_flags="-D -s -o I"
>
> - Giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
On 2003-02-21 20:08, Jim Xochellis <[EMAIL PROTECTED]> wrote:
> I have a FreeBSD 4.7(i386) Release router I am trying to make it run
> with the ipf firewall on.
>
> I have compiled and installed a new kernel with ipf support and then I
> put the following lines inside my rc.conf file:
>
> ipfilter_enable="YES"
> ipfilter_program="/sbin/ipf -Fa -f"
> ipfilter_rules="/etc/ipf.rules"
> ipfilter_flags=""
>
> The problem is that, when I boot, ipf does not work. It seems like is
> not using the rules.
Don't change ipfilter_program if you don't have a *very* good reason
for doing so:
$ grep ipfilter_program /etc/defaults/rc.conf
ipfilter_program="/sbin/ipf"# where the ipfilter program lives
Before you change one of the xxx_program options in rc.conf you should
make sure that you understand what this change will affect, by looking
at the /etc/rc* scripts:
$ grep -l ipfilter_program /etc/rc*
rc.network
$ grep ipfilter_program /etc/rc.network
${ipfilter_program:-/sbin/ipf} -Fa
${ipfilter_program:-/sbin/ipf} \
${ipfilter_program:-/sbin/ipf} -6 \
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
By setting ipfilter_program to "/sbin/ipf -Fa -f", that first line of
rc.network became:
/sbin/ipf -Fa -f -Fa
which doesn't work. Similarly, the -f option at the end of your
ipfilter_program value broke all the rest of the ipf commands in
/etc/rc.network. Delete the ipfilter_program line from your rc.conf
and the default will work fine.
Here's what I have in my rc.conf for ipfilter and ipmon:
$ grep '^ip[fm]' /etc/rc.conf
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-D -s -o I"
- Giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
Hi list, Many thanks to all the people that have replied. Thanks to them my problem has been solved! Thank you very much, Jim Xochellis Escape Information Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
# [EMAIL PROTECTED] / 2003-02-21 20:08:17 +0200:
> I have compiled and installed a new kernel with ipf support and then I
> put the following lines inside my rc.conf file:
>
> ipfilter_enable="YES"
> ipfilter_program="/sbin/ipf -Fa -f"
> ipfilter_rules="/etc/ipf.rules"
> ipfilter_flags=""
remove the three lines above, leaving only ipfilter_enable="YES"
in rc.conf.
> The problem is that, when I boot, ipf does not work. It seems like is
> not using the rules.
>
> If I enter "ipf -Fa -f /etc/ipf.rules" from the command line, then it
> starts working as expected.
if you look at /etc/rc.network you'll see why:
${ipfilter_program:-/sbin/ipf} -Fa -f \
"${ipfilter_rules}" ${ipfilter_flags}
your settings make it:
/sbin/ipf -Fa -f -Fa -f /etc/ipf.rules
--
If you cc me or remove the list(s) completely I'll most likely ignore
your message.see http://www.eyrie.org./~eagle/faqs/questions.html
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: Problems with in the ipf setup in an FreeBSD 4.7 router
On Friday, 21 February 2003 at 20:08:17 +0200, Jim Xochellis wrote: > Hi List, > > I have a FreeBSD 4.7(i386) Release router I am trying to make it run > with the ipf firewall on. > > I have compiled and installed a new kernel with ipf support and then I > put the following lines inside my rc.conf file: > > ... > ipfilter_enable="YES" > ipfilter_program="/sbin/ipf -Fa -f" Try removing the above line > ipfilter_rules="/etc/ipf.rules" > ipfilter_flags="" > ... > > The problem is that, when I boot, ipf does not work. It seems like is > not using the rules. > > If I enter "ipf -Fa -f /etc/ipf.rules" from the command line, then it > starts working as expected. > > What do I have to do to make ipf start automatically on boot? Any tips > or pointers to manuals will be greatly appreciated. > > TIA, > > Jim Xochellis > Escape Information Services > > > P.S.Note that I am running with security level set to 2. (I also tried > running with security level set to 1 and -1 without any luck.) > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Problems with in the ipf setup in an FreeBSD 4.7 router
Hi List, I have a FreeBSD 4.7(i386) Release router I am trying to make it run with the ipf firewall on. I have compiled and installed a new kernel with ipf support and then I put the following lines inside my rc.conf file: ... ipfilter_enable="YES" ipfilter_program="/sbin/ipf -Fa -f" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ... The problem is that, when I boot, ipf does not work. It seems like is not using the rules. If I enter "ipf -Fa -f /etc/ipf.rules" from the command line, then it starts working as expected. What do I have to do to make ipf start automatically on boot? Any tips or pointers to manuals will be greatly appreciated. TIA, Jim Xochellis Escape Information Services P.S.Note that I am running with security level set to 2. (I also tried running with security level set to 1 and -1 without any luck.) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
