5-Stable (5.4) any ipnat changes?

Billy Newsom smartweb at leadhill.net
Thu May 26 13:16:04 PDT 2005

sergei wrote:
> I have the same problem:
> After I cvsuped my system from 5.3 to 5.4, ipfilter (compiled in the my
> custom kernel) & ipnat not start automatically. If I do
> "/etc/rc.d/ipfilter start && /etc/rc.d/ipnat start" manually - all works
> fine... Lines "ipfilner_enable=YES" and "ipnat_enable=YES" present in
> the /etc/rc.conf.
Okay, I'm going to dig up someone who might be responsible or might be 
able to fix it.  Two strikes while doing the same upgrade...  While I'm 
thinking about it, would you see if it happens on the next reboot?  I 
haven't tried, because my system is a firewall that I need to keep up 
most of the time (I'm behind it right now), but I will definitely see if 
it happens again soon.

I am going to check some cvs checkins in the last three months or so and 
see if I can track down a change.

As for the custom kernel, I wonder if we both need to post the details 
of our custom kernel to this list for others to see?  I wonder if the 
problem is only with certain kernel switches.  I am attaching my kernel 
(with no comments) to this email.  Let me know if it's easier to read 
with the comments in it, because a lot of the generic kernel fluff has 
been removed for sake of speed.

I removed them with:
cat mykernel | sed -e 's;#.*;;' -e '/^[ ]*$/d' >mykernel.1


> ~>-----Original Message-----
> ~>From: owner-freebsd-stable at freebsd.org 
> ~>[mailto:owner-freebsd-stable at freebsd.org] On Behalf Of Billy Newsom
> ~>Sent: Thursday, May 26, 2005 1:54 AM
> ~>To: freebsd-stable at freebsd.org
> ~>Subject: 5-Stable (5.4) any ipnat changes?
> ~>
> ~>
> ~>Is there some reason why ipnat wouldn't automatically startup?
> ~>
> ~>I just upgraded from a 5-stable in February to a 5-stable in 
> ~>May, so I 
> ~>could essentially get 5.4 on this firewall machine.  I simultaneously 
> ~>was upgrading some ports, etc., but nothing too severe.  When 
> ~>I rebooted 
> ~>the machine, everything looked fine.  No problems whatsoever. 
> ~> This was 
> ~>the first time that I compiled multiple kernels (normally I 
> ~>just compile 
> ~>a custom and not the generic), but that is not related.
> ~>
> ~>What happened is that I had a strange problem receiving mail 
> ~>on the mail 
> ~>server.  It took me quite a while to finally track down the 
> ~>problem.  I 
> ~>ended up running a packet sniffer and still couldn't figure it out. 
> ~>Well, it turned out that the filters in ipnat weren't 
> ~>installed, and so 
> ~>all of the NAT routing wasn't happening as normal.
> ~>
> ~>I have really never seen this server boot without NAT -- it's 
> ~>basically 
> ~>the same setup I've used for years and it never dawned on me 
> ~>what would 
> ~>happen if ipnat failed to run its filters.  Meanwhile, 
> ~>IPFilter was busy 
> ~>running the firewall like normal.
> ~>
> ~>I have looked at the logs in detail and I can't find anything 
> ~>that would 
> ~>have turned off ipnat or caused it not to run its filter.  
> ~>Nor, on the 
> ~>otherhand, do I see where ipnat logs anything, anyway.
> ~>
> ~>Where would I look to track this down?  Is it possible that 
> ~>something in 
> ~>  stable messed this up?
> ~>
> ~>
> ~># ls -l /etc/ipnat.rules
> ~>-rw-r--r--  1 root  wheel  437 Mar 14 14:18 /etc/ipnat.rules
> ~>
> ~>Notice no changes since March in that file.
> ~>
> ~># cat /etc/rc.conf | grep ip
> ~>ipfilter_enable="YES"           # Set to YES to enable ipfilter 
> ~>functionality
> ~>ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
> ~>ipfilter_rules="/etc/ipf.rules" # rules definition file for 
> ~>ipfilter, see
> ~>                                 # 
> ~>/usr/src/contrib/ipfilter/rules for 
> ~>examples
> ~>ipfilter_flags=""               # additional flags for ipfilter
> ~>ipnat_enable="YES"              # Set to YES to enable ipnat 
> ~>functionality
> ~>ipnat_program="/sbin/ipnat"     # where the ipnat program lives
> ~>ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat
> ~>ipnat_flags=""                  # additional flags for ipnat
> ~>ipmon_enable="YES"                # Set to YES for ipmon; 
> ~>needs ipfilter 
> ~>or ipnat
> ~>ipmon_program="/sbin/ipmon"       # where the ipfilter 
> ~>monitor program lives
> ~>ipmon_flags="-Ds"               #  typically "-Ds" or "-D 
> ~>/var/log/ipflog"
> ~>ipfs_enable="YES"               # Set to YES to enable saving 
> ~>and restoring
> ~>ipfs_program="/sbin/ipfs"       # where the ipfs program lives
> ~>ipfs_flags=""                   # additional flags for ipfs
> ~>
> ~>Thanks.
> ~>Billy
-------------- next part --------------
machine		i386
cpu		I686_CPU
ident		BILLYSMP3
hints		"GENERIC.hints"		
options		SMP
options         MSGMNB=8192     
options         MSGSSZ=64       
options         MSGTQL=2048     
options		MAXCONS=6	
options		IPFILTER
options 	SCHED_4BSD		
options 	INET			
options 	FFS			
options 	SOFTUPDATES		
options 	UFS_ACL			
options 	UFS_DIRHASH		
options 	NFSCLIENT		
options 	NFSSERVER		
options 	PROCFS			
options 	PSEUDOFS		
options 	GEOM_GPT		
options 	COMPAT_43		
options 	COMPAT_FREEBSD4		
options 	SCSI_DELAY=4000		
options 	KTRACE			
options 	SYSVSHM			
options 	SYSVMSG			
options 	SYSVSEM			
device		apic		
device		isa
device		pci
device		fdc
device		ata
device		atadisk		
device		atapicd		
options 	ATA_STATIC_ID	
device		ahc		
device		sym		
device		aha		
device		aic		
device		scbus		
device		ch		
device		da		
device		sa		
device		cd		
device		pass		
device		ses		
device		atkbdc		
device		atkbd		
device		psm		
device		vga		
device		sc
device		npx
device		apm
device		sio		
device		ppc
device		ppbus		
device		lpt		
device		ppi		
device		miibus		
device		fxp		
device		nge		
device		pcn		
device		re		
device		rl		
device		ste		
device		tx		
device		wb		
device		ed		
device		ep		
device		lnc		
device		loop		
device		mem		
device		io		
device		random		
device		ether		
device		tun		
device		pty		
device		gif		
device		bpf		
device		uhci		
device		ohci		
device		usb		
device		ugen		
device		uhid		
device		ukbd		
device		ulpt		
device		umass		

More information about the freebsd-stable mailing list