/etc/rc.d/ipfw can't deal with firewall_type?
Ian Smith
smithi at nimnet.asn.au
Wed May 4 06:46:27 UTC 2011
On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
> At Wed, 4 May 2011 03:47:02 +1000 (EST),
> Ian Smith wrote:
> >
> > On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
> > > Hi all,
> > > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but
> > > all packets could not over nat box. I've researched and found
> > > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does
> > > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw
> > > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is
> > > there any problem to do this?
> >
> > Yes. Assuming using the default firewall_script="/etc/rc.firewall",
> > then as it says early in /etc/rc.firewall, you just needed to:
> >
> > # Define the firewall type in /etc/rc.conf. Valid values are:
> > [..]
It's just occured to me that - assuming you are NOT trying to start ipfw
or natd inside a jail, which won't work - you may well be running into
another problem related to some PRs/patches hrs@ (cc'd) is reviewing re
startup order and loading of modules for ipfw and natd. You mentioned
running an 'OPEN' firewall which (like any other type) will fail to load
divert rule/s unless ipdivert.ko is already loaded or built into kernel.
This can be solved meanwhile by either a) adding to /boot/loader.conf:
ipdivert_load="YES"
or b) by applying the following patch to /etc/rc.d/ipfw (on 7.x or 8.x)
cheers, Ian
--- rc.d_ipfw.1.24 Sat Jan 8 18:13:46 2011
+++ ipfw Sat Jan 8 21:00:18 2011
@@ -27,9 +27,9 @@
fi
if checkyesno firewall_nat_enable; then
- if ! checkyesno natd_enable; then
- required_modules="$required_modules ipfw_nat"
- fi
+ required_modules="$required_modules ipfw_nat"
+ elif checkyesno natd_enable; then
+ required_modules="$required_modules ipdivert"
fi
}
@@ -105,6 +105,7 @@
}
load_rc_config $name
-firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
+checkyesno natd_enable && ! checkyesno firewall_nat_enable && \
+ firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
run_rc_command $*
More information about the freebsd-stable
mailing list