natd -redirect_port

Mon May 17 08:11:21 PDT 2004

On Monday 17 May 2004 15:12, JJB wrote:
> Now wouldn't it just be better all the way around to create the IPFW
> loadable module that is distributed with the system, with the
> correct divert and logging options so it's not an mandatory
> requirement to compile the kernel.

It wold be fine to have a ipdivert.ko that could be loaded on demand of 
ipfw.ko or via /etc/rc.d/natd. I think the main reason why we have no 
ipdivert.ko around is that the ipdivert code toches severeal kernel sources. 
As I understand it, the divert proto is not just a piece of code that could 
simply pluged in and out (for now).

I have no problem with logging diabled by default, as enabling needs only one 
line in rc.conf.     

ps: please dont top-post and use some indentation character for quoting of old 
message text. This makes reading much easier.      

> Why make this so difficult for 
> the normal user?. Simpler and easier is always better than more
> complicated. Look at it this way, A firewall without logging is
> useless, and the majority of people who use IPFW have an lan behind
> their IPFW firewall, so the sensible thing to do is distribute the
> IPFW loadable module configured in an manner to address the needs of
> the largest user group. As it's distributed now the loadable module
> is all most completely useless so why even have one?
>
> My personal option is the IPFW loadable module is not configured
> correctly and needs to be corrected.
>
> -----Original Message-----
> From: Christian Hiris [mailto:4711 at chello.at]
> Sent: Monday, May 17, 2004 8:32 AM
> To: freebsd-questions at freebsd.org; Barbish3 at adelphia.net
> Cc: Micheal Patterson; Anthony Philipp
> Subject: Re: natd -redirect_port
>
> On Saturday 15 May 2004 18:56, JJB wrote:
> > You are wrong also. The boot time message that displays about the
> > ipfw module being loaded is incorrect. I filed an PR on that in
>
> 5.1
>
> > and was told by developers that message is misleading, that the
> > module is fully enabled with nat and logging, so I tested and
>
> indeed
>
> > nat and logging is really in the loadable module.  It's my
> > understanding the boot time message that displays about the ipfw
> > module being loaded that says everything is disabled will be
> > corrected in 5.3.  What is in the 5.2.1 ipfw module I do not know.
> > My advice is to test ipfw module before adding ipfw option
> > statements to kernel. That's why the 5.x versions are development
> > versions, things change all the time until that get corrected
>
> before
>
> > be coming stable releases. This is all new because ipfw2 replaced
> > ipfw at the 5.1 version I believe.  Just think about it, why have
>
> an
>
> > loadable module if all the options are turned off, it makes the
> > module useless.  Ipfilter's loadable module is full function with
> > nat and logging why should the ipfw module be any different? It's
> > just that stupid message that has been misleading users all this
> > time just like it did to me. If nat and logging is missing from
>
> the
>
> > ipfw loadable module in 5.2.1 then submit another PR to remind
>
> then
>
> > it needs to be corrected. Nat and logging are the most used
>
> options
>
> > of ipfw, it's just plain stupid not to have then included in the
> > standard module.
>
> If a user wants ipfw to issue the correct initial divert message,
> it's still
> required to compile ipfw into the kernel. This means 'option
> IPFIREWALL' is
> required as stated in the natd manual.
>
> Actually on 5.2-current the ipfw module doesn't know if the kernel
> has been
> compiled with ipdivert proto. This causes the wrong 'divert
> disabled' initial
> message.
>
> I will file a PR on the wrong initial divert message issue tomorrow.
> If the
> ipdivert proto capability could be retrieved via divcb sysctl or any
> other
> mechanism, it might become possible that the ipfw kld could issue
> the correct
> divert message.
> Disabling of the divert message in case the ipfw has been compiled
> as kld
> could be a simpler solution.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

-- 
Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x941B6B0B 
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20040517/a20cd2b3/attachment.bin