verrevpath -- ipfw: unknown argument ``not''

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Nov 28 10:03:54 GMT 2005 

Mark Edwards wrote:
> On Nov 26, 2005, at 7:18 AM, Lowell Gilbert wrote:
> 
>> Mark Edwards <mark at antsclimbtree.com> writes:
>>
>>> I am trying to implement the verrevpath suggestion in the ipfw man
>>> page, as follows:
>>>
>>>>      The verrevpath option could be used to do automated anti-
>>>> spoofing by
>>>>      adding the following to the top of a ruleset:
>>>>
>>>>            ipfw add deny ip from any to any not verrevpath in
>>>
>>>
>>> However, when I try to add the rule, I get an error:
>>>
>>>> lilbuddy:~ paimin$ ipfw add deny ip from any to any not  verrevpath in
>>>> ipfw: unknown argument ``not''
>>>
>>>
>>> Can someone tell what is causing this syntax to fail?  Thanks!
>>
>>
>> Works fine for me right now on -STABLE (RELENG_6).
>> You didn't mention what you were running, so there's not much else we
>> can tell you.
> 
> 
> Sorry, I am running 4.11, and nothing weird that I know of that would  
> affect ipfw operation.
> 
> I found a posting via google from someone with the same question, and  
> then he replied to himself that reading the man page had given him  the 
> answer, but he didn't say what that answer was.  Tried to email  him, 
> but it bounced because my mail gateway doesn't have an SPF  record so 
> his server rejected my mail (even though my server DOES  have an SPF 
> record -- ugh).

IPFW can be compiled with a bunch of extra goodies under FreeBSD 4.x
-- as I remember, this includes the syntactic bits like 'not' and
probably the reverse path stuff too.  To do this you need:

    IPFW2=true

in /etc/make.conf and 

    options         IPFW2

in your kernel config.  Then do the whole {build,install}{kernel,world}
thing to enable that.

Under 4.x this effectively upgrades you to the same version of IPFW which
is standard in 5.x or above.  The upgrade was not made the default in 4.x
because it isn't entirely backwards compatible, and for POLA reasons, the
FreeBSD project forbids changing kernel ABIs and so breaking systems on a
routine update within the same major version number. 

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 372 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051126/fe134827/signature.bin

More information about the freebsd-questions mailing list