5-Stable (5.4) any ipnat changes?

Billy Newsom smartweb at leadhill.net
Wed May 25 14:53:54 PDT 2005 

Is there some reason why ipnat wouldn't automatically startup?

I just upgraded from a 5-stable in February to a 5-stable in May, so I 
could essentially get 5.4 on this firewall machine.  I simultaneously 
was upgrading some ports, etc., but nothing too severe.  When I rebooted 
the machine, everything looked fine.  No problems whatsoever.  This was 
the first time that I compiled multiple kernels (normally I just compile 
a custom and not the generic), but that is not related.

What happened is that I had a strange problem receiving mail on the mail 
server.  It took me quite a while to finally track down the problem.  I 
ended up running a packet sniffer and still couldn't figure it out. 
Well, it turned out that the filters in ipnat weren't installed, and so 
all of the NAT routing wasn't happening as normal.

I have really never seen this server boot without NAT -- it's basically 
the same setup I've used for years and it never dawned on me what would 
happen if ipnat failed to run its filters.  Meanwhile, IPFilter was busy 
running the firewall like normal.

I have looked at the logs in detail and I can't find anything that would 
have turned off ipnat or caused it not to run its filter.  Nor, on the 
otherhand, do I see where ipnat logs anything, anyway.

Where would I look to track this down?  Is it possible that something in 
  stable messed this up?


# ls -l /etc/ipnat.rules
-rw-r--r--  1 root  wheel  437 Mar 14 14:18 /etc/ipnat.rules

Notice no changes since March in that file.

# cat /etc/rc.conf | grep ip
ipfilter_enable="YES"           # Set to YES to enable ipfilter 
functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
                                 # /usr/src/contrib/ipfilter/rules for 
examples
ipfilter_flags=""               # additional flags for ipfilter
ipnat_enable="YES"              # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat"     # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat
ipnat_flags=""                  # additional flags for ipnat
ipmon_enable="YES"                # Set to YES for ipmon; needs ipfilter 
or ipnat
ipmon_program="/sbin/ipmon"       # where the ipfilter monitor program lives
ipmon_flags="-Ds"               #  typically "-Ds" or "-D /var/log/ipflog"
ipfs_enable="YES"               # Set to YES to enable saving and restoring
ipfs_program="/sbin/ipfs"       # where the ipfs program lives
ipfs_flags=""                   # additional flags for ipfs

Thanks.
Billy

More information about the freebsd-stable mailing list