natd starting after firewall rules are loaded

J. Hellenthal jhell at DataIX.net
Sun Apr 17 06:01:25 UTC 2011 

On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote:
>On Sat, 16 Apr 2011, rondzierwa at comcast.net wrote:
>
> > After the firewall rules are loaded, the rc script then loads natd, 
> > Once the system is up, i can ipfw list and the divert command is, 
> > in fact, not there, but by this time natd is running. If I run the rc.firewall 
> > script interactively, it completes successfully and the divert rule 
> > is in the list, and everyone is happy again. 
>
>There are several outstanding PRs about this and related issues; copying 
>hrs@ who grabbed these PRs a while ago.  The quick fix is to add
>
>ipdivert_load="YES"
>
>to /boot/loader.conf so it's there before ipfw & natd start.  You still 
>need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf
>
> > In 4.9 there used to be a rc.network script that started natd before 
> > it loaded the firewall rules. I do not see it in 8.2 anymore, instead 
> > it looks like rc simply runs the scripts in rc.d alphabetically, so natd 
> > comes after ipfw. 
>
>Not alphabetically but according to rcorder(8).  /etc/rc.d/natd has 
>keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but 
>as you've seen, ipfw's attempt to install divert rule(s) fails for want 
>of ipdivert.ko - which /etc/rc.d/natd does load, but too late.
>
> > I can't believe i'm the only one using ipfw and natd with 8.2, so it 
> > seems to me that i just don't know the secret handshake that will 
> > make it work. 
>
>In 4.x you had to build ipfw into kernel; lots of changes since :)
>
>cheers, Ian

Add the following to change the order of the scripts in which they run.

/etc/rc.d/natd:
# BEFORE: ipfw

/etc/rc.d/ipfw:
# AFTER: natd

And that will change the order in which the scripts execute. whether
this has any implications on other running daemons you will have to
check but as far as the rcorder(8) goes that will put ipfw executing
just after natd.

rcorder /etc/rc.d/*
[...]
/etc/rc.d/routed
/etc/rc.d/defaultroute
/etc/rc.d/natd
/etc/rc.d/ipfw
/etc/rc.d/netoptions
/etc/rc.d/NETWORKING
[...]


PS: For those with commit bits...
$ rcorder /etc/rc.d/ipfw
rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers.
/etc/rc.d/ipfw

Dont know why because,
$ grep -n ppp /etc/rc.d/* | grep PROVIDE
/etc/rc.d/ppp:6:# PROVIDE: ppp

There are a few other scripts in there that generate other similiar
errors but this one seem sketchy to me.


-- 

 Regards,
 J. Hellenthal
 WWJD

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20110417/cdc79846/attachment.pgp

More information about the freebsd-net mailing list