ipfilter on 6.1

Giorgos Keramidas keramida at ceid.upatras.gr
Sun Aug 27 01:00:00 UTC 2006


On 2006-08-26 19:46, "J.D. Bronson" <jbronson at wixb.com> wrote:
> Ok guys...now that I have ipfilter working...I need to run a few
> commands in /etc/ppp/ppp;linkup and cant figure out the syntax...
>
> % cat /etc/ppp/ppp.linkup
>
> # It is no longer necessary to re-add the default route here as our
> MYADDR:
>
> ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.conf"
> ! sh -c "/sbin/ipf -F -f /etc/ipf.conf"
> ! sh -c "/sbin/ipf -Fa -f /etc/ipf.conf"
> ! sh -c "/sbin/ipf -y"

Watch out for that empty line, if it is *REALLY* part of your
`ppp.linkup' script.  Empty lines are section delimiters in ppp(8)
config files.

Thereis also no reason to run ipf _twice_!

Please also note that I don't use "sh -c" to signal ntpd to start/stop
from my ppp.linkup script and it all works fine:

    root at gothmog:/root# cat -n /etc/ppp/ppp.linkup
         1  MYADDR:
         2   ! /etc/rc.d/ntpd start
    root at gothmog:/root#

Maybe the whole sh -c and quoting stuff you are using is not really
passed down to sh(1) but is parsed by ppp(8) when `ppp.linkup' is read?

I am also not sure if it is a good idea to run ``ipnat -CF'' of
``ipf -Fa''.  What about states of existing connections?  If you
momentarily lose the PPP connection, but it then comes up pretty fast,
you are effectively dropping all previous connection information here,
even though it may still be valid and useful.

I'd go for the simpler syntax of:

    MYADDR:
     ! /sbin/ipf -y



More information about the freebsd-questions mailing list