/etc/rc.d/ipfw can't deal with firewall_type?

Ian Smith smithi at nimnet.asn.au
Wed May 4 06:46:27 UTC 2011 

On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
 > At Wed, 4 May 2011 03:47:02 +1000 (EST),
 > Ian Smith wrote:
 > > 
 > > On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
 > >  > Hi all,
 > >  > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but
 > >  > all packets could not over nat box. I've researched and found
 > >  > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does
 > >  > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw
 > >  > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is
 > >  > there any problem to do this?
 > > 
 > > Yes.  Assuming using the default firewall_script="/etc/rc.firewall", 
 > > then as it says early in /etc/rc.firewall, you just needed to:
 > > 
 > > 	# Define the firewall type in /etc/rc.conf.  Valid values are:
 > > 	[..]

It's just occured to me that - assuming you are NOT trying to start ipfw 
or natd inside a jail, which won't work - you may well be running into 
another problem related to some PRs/patches hrs@ (cc'd) is reviewing re 
startup order and loading of modules for ipfw and natd.  You mentioned 
running an 'OPEN' firewall which (like any other type) will fail to load 
divert rule/s unless ipdivert.ko is already loaded or built into kernel.

This can be solved meanwhile by either a) adding to /boot/loader.conf:

ipdivert_load="YES"

or b) by applying the following patch to /etc/rc.d/ipfw (on 7.x or 8.x)

cheers, Ian

--- rc.d_ipfw.1.24      Sat Jan  8 18:13:46 2011
+++ ipfw        Sat Jan  8 21:00:18 2011
@@ -27,9 +27,9 @@
	fi

	if checkyesno firewall_nat_enable; then
-		if ! checkyesno natd_enable; then
-			required_modules="$required_modules ipfw_nat"
-		fi
+		required_modules="$required_modules ipfw_nat"
+	elif checkyesno natd_enable; then
+		required_modules="$required_modules ipdivert"
	fi
 }

@@ -105,6 +105,7 @@
 }

 load_rc_config $name
-firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
+checkyesno natd_enable && ! checkyesno firewall_nat_enable && \
+	firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"

 run_rc_command $*

More information about the freebsd-stable mailing list