Looking for ipfw info.

Tony Frank tfrank at optushome.com.au
Sat Mar 20 16:50:25 PST 2004


Hi there,

On Thu, Feb 26, 2004 at 01:13:08PM -0500, Shaun T. Erickson wrote:
> Thanks for the resources.
> 
> A couple of questions (because I'm new to FreeBSD):
> 
> The ipfw man page in 5.2.1-RELEASE says that ipfw in CURRENT is ipfw2 
> and that ipfw in STABLE is ipfw1. I still don't understand the 
> releationship between RELEASE and the other two, so I am not sure which 
> ipfw I have in 5.2.1-RELEASE.

If you are using ipfw on 5.2.1 you have ipfw2.

Brief summary:

-STABLE is at the moment based on FreeBSD 4.
-CURRENT is based on FreeBSD 5.

A -RELEASE is a snapshot of the state of the code at a particular point in
time.  5.2.1-RELEASE is based on FreeBSD 5.

Perhaps this page can help explain:
http://www.freebsd.org/releng/index.html 

There's also more detail on the various tags at:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html

To get ipfw2 on 4.9 you need to recompile with the ipfw2 option in the 
kernel config - the ipfw man page has a section on this aspect.

On a version note, while I personally have not experienced any problems 
running 5.2.1 it is a bit more bleeding edge than 4.9 for example.
4.9 is recommended if you want maximum stability for the moment.

> I have read the following 5 excellent articles on ipfw, by Dru Lavigne. 
> Even though they were written in 2001, and thus pre-date ipfw2, I found 
> them to be a great crash course in ipfw, and the ipfw manpage in 
> 5.2.1-RELEASE just adds to it.
> 
> In Dru's first article, she(?) discusses how the kernel must be modified 
> to support a firewall. She looks into /usr/src/sys/i386/conf/LINT to 
> find the relevant information that needs to be added to my kernel conf 
> file. I cannot find a LINT file on my 5.2.1-RELEASE system. Where can I 
> find complete information on what I need to do to my kernel?

4.9 and older used LINT to list all options for kernel config, 5 and 
onwards use a file called NOTES.

There's one of these under /usr/src/sys/conf (for machine independant bits)
and another under /usr/src/sys/i386/conf for i386 related (also other arch 
have their own)

Refer to the following pages for more info:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/kernelconfig.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html

/etc/rc.firewall is the best place to start for some sample rules and the 
ipfw man page is really quite good.

With 5.2.1 you should not need to recompile a kernel to use ipfw or any of
the other supported firewalls (ipfilter and pf).
Which firewall you choose to go with is your choice.

If you intend to use ipfw divert rule and natd you will probably need to
compile a new kernel with the divert option added to the kernel config,
ie:

options 	IPDIVERT

If you have firewall_enable="YES" in your /etc/rc.conf the kld should be
loaded at boot time and the config will be pulled in from /etc/rc.firewall
so you can start with firewall_type="SIMPLE" or whatever to get you going.

Basically start with the man pages they cover just about everything.
There is also the faq:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html

For natd specifically:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html

There is a lot of good information on the FreeBSD website so start there.
For ipfw specifically you can also search browse the freebsd-ipfw mailing
list.
For other firewalls you can find specific lists or try freebsd-net for 
some questions.
In general search the archives first to see if your question isn't already
answered.

http://www.freebsd.org/search/search.html#mailinglists

Hope it helps,

Tony


More information about the freebsd-questions mailing list