FreeBSD 8.1 and IPFW

[jailed]

Hello, today I upgraded my gateway to 8.1 from 8.0 with freebsd-update.

After the upgrade, I realized that my ipfw is not working. FreeBSD doesn't start ipfw on boot.

My rc.conf

firewall_enable="YES"
firewall_script="/my-path-to/ipfw.rules"
firewall_type="close"

I have not changed any configuration. I've just upgraded the system with freebsd-update.

The server is configured for gateway, ipfw, dummynet, natd, bridge.

To start ipfw, I connect to server and run the ipfw.rules script manually.

I have read the release notes of 8.1 before upgrade, I've seen that ipfw has been updated on the release but can't see any detailed info about that.

Is the default rc.conf directives has changed?

Thanks.

 

[jailed]

Update

/boot/loader.conf

if_bridge_load="YES"
dummynet_load="YES"

Kernel loads if_bridge module but not dummynet.

I'm updating /usr/src tree now and I will compile a custom kernel and add this options to GENERIC directly.

Why boot loader doesn't load dummynet? If I do "kldload dummynet" on the server, it loads.

Ipfw (from rc.conf) and dummynet from (loader.conf) not working on start up.

I will try to compile kernel.

 

[jailed]

Building a new kernel works. But I wonder why supported fetaures on the previous releases, don't work on the new ones. I don't know if this is just for me or everybody live this issues.

Problem solved with custom kernel.

Thanks.

 

[mkorku]

NAT solution without building a new kernel

Building a new kernel works.

After spending some time looking at the boot process I have realized that the "divert" rule needed to make NAT work at /etc/rc.firewall gives an error at boot time. Once the system is running if I manually execute

# /etc/rc.d/ipfw restart

NAT begins to work without any problem.

At last I have solved the problem adding the following to /boot/loader.conf:

ipfw_load="YES"
ipdivert_load="YES"

I suppose that the system needs to load the divert module before the firewall is configured. I only do NAT so I don't load dummynet or any other module on /boot/loader.conf.

 

[rblon]

Building a new kernel works. But I wonder why supported fetaures on the previous releases, don't work on the new ones. I don't know if this is just for me or everybody live this issues.

Problem solved with custom kernel.

Thanks.

I also have the issue that ifp is not working anymore after updating to 8.1. When you say that you use a custom kernel, what do you include?

 

[jailed]

I also have the issue that ifp is not working anymore after updating to 8.1. When you say that you use a custom kernel, what do you include?

Add this lines to your GENERIC file for ipfw. and then compile a new kernel

options IPFIREWALL
options DUMMYNET
options HZ=1000
options IPDIVERT

 

[DutchDaemon]

No, jailed, again: do not edit your GENERIC kernel config file, ever. Copy it to a new file, rename it, and give it a new ident line. Then compile it using KERNCONF=KERNELNAME. Ok?

 

[jailed]

No, jailed, again: do not edit your GENERIC kernel config file, ever. Copy it to a new file, rename it, and give it a new ident line. Then compile it using KERNCONF=KERNELNAME. Ok?

Thank you. I realized that src cvs updates overwrite the GENERIC. So we have to copy the file. Thank you for correcting me.

 

[SirDice]

Thank you. I realized that src cvs updates overwrite the GENERIC. So we have to copy the file. Thank you for correcting me.

That's not the point actually. If you do a uname -a you'll notice the kernel configuration named in there. When it says GENERIC people expect it to be GENERIC and not some hacked up custom kernel.

dice@maelcum:~>uname -a
FreeBSD maelcum.dicelan.home 8.1-STABLE FreeBSD 8.1-STABLE #0: Tue Oct 12 20:12:28 CEST 2010
root@molly.dicelan.home:/usr/obj/usr/src/sys/GENERIC  i386

dice@williscorto:~>uname -a
FreeBSD williscorto.dicelan.home 8.1-STABLE FreeBSD 8.1-STABLE #0: Tue Oct 12 19:49:45 CEST 2010
root@molly.dicelan.home:/usr/obj/usr/src/sys/CORTO8  i386

Notice the difference?