Re: NAT: Handbook vs mailing list
On 2013-10-08 06:21, Chris Stankevitz wrote: http://www.freebsd.org/doc/handbook/network-natd.html http://lists.freebsd.org/pipermail/freebsd-questions/2011-April/229017.html Hello, Handbook section 31.9.3 suggests I should, among other things, add the line ipdivert_load=YES to /boot/loader.conf when setting up NAT. The mailing list message linked above suggests that the handbook information is the old way and that the correct way is to set ipfw_enable and natd_enable in rc.conf. Then /etc/rc.d/ipfw will load ipfw.ko, and if natd_enable is set, will invoke /etc/rc.d/natd, which loads ipdivert.ko at the right time. My inclination is to follow the handbook, but I thought I should first check to ensure the handbook is up-to-date. Thank you, This is my rc.conf with ipf (ipfilter) firewall. # Bring up the ipfilter software ipfilter_enable=YES ipmon_enable=YES # Start IP monitor log ipmon_flags=-D -f /var/log/ipf.log ## Tell ipfilter where to get its rules ipfilter_rules=/etc/ipf.rules #Enable ipnat ipnat_enable=YES #Tell ipnat where to get its rules ipnat_rules=/etc/ipnat.rules ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NAT: Handbook vs mailing list
Olivier Nicole wrote: [snip] The mailing list message linked above suggests that the handbook information is the old way and that the correct way is to set ipfw_enable and natd_enable in rc.conf. Then /etc/rc.d/ipfw will load ipfw.ko, and if natd_enable is set, will invoke /etc/rc.d/natd, which loads ipdivert.ko at the right time. From what you copied/explained, natd_enable will load ipdivert.ko and the handbook suggests that you load ipdivert.ko, so either way the module will be loaded. I'd go with the ipfw_enable and natd_enable as it may also do other needed things than just loading a kernel module. +1 on this. It is also present in the /etc/defaults/rc.conf this way as well (of course, use /etc/rc.conf for override customization). The original situation referred to early in the mailing-list content was a timing related problem where the ipdivert module would fail, even after ipfw loading _did_ succeed. Most of the 'old way' is a holdover from before the init system brought in the rc.subr startup scripts (imported from netbsd if memory serves). There have been a couple of hiccups along the way concerning the order things are started. For example, it doesn't really work to start a dhcp client prior to successful network initiate completion. Over time the rc.subr system has evolved and been cleaned up. A long time ago I eschewed running mergemaster when doing source-based upgrades. Just didn't like it and it never seemed like not doing it hurt anything. For quite some time I never experienced any problem with this approach. However, this eventually did bite me in the rump in a very bad way! :-) When running mergemaster while upgrading to a new release you may see these scripts being updated. So they are continuing to evolve, and a lot of this is to start up and configure things as the system comes up in a 'correct' and coherent order. So imho the Handbook is a wee bit outdated. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: NAT: Handbook vs mailing list
Chris, On Tue, Oct 8, 2013 at 11:21 AM, Chris Stankevitz chrisstankev...@gmail.com wrote: http://www.freebsd.org/doc/handbook/network-natd.html http://lists.freebsd.org/pipermail/freebsd-questions/2011-April/229017.html Hello, Handbook section 31.9.3 suggests I should, among other things, add the line ipdivert_load=YES to /boot/loader.conf when setting up NAT. The mailing list message linked above suggests that the handbook information is the old way and that the correct way is to set ipfw_enable and natd_enable in rc.conf. Then /etc/rc.d/ipfw will load ipfw.ko, and if natd_enable is set, will invoke /etc/rc.d/natd, which loads ipdivert.ko at the right time. From what you copied/explained, natd_enable will load ipdivert.ko and the handbook suggests that you load ipdivert.ko, so either way the module will be loaded. I'd go with the ipfw_enable and natd_enable as it may also do other needed things than just loading a kernel module. best regards, Olivier My inclination is to follow the handbook, but I thought I should first check to ensure the handbook is up-to-date. Thank you, Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
