IPNAT Not Running at Bootup

T

TunaGod06

Greetings:

I have a FreeBSD 7.0 box that has been set up to act as gateway/firewall. It has been live for over four months with one major irritation. Every time the box reboots, I have to run ipnat -CF -f /etc/ipnat.rules in order for machines on the network to be able to access the internet.

I have been through the FAQ and docs and have the following entries in the rc.conf

Code: 
ipnat_enable="yes"
ipnat_program="/sbin/ipnat"
ipnat_flags="-CF -f"
ipnat_rules="/etc/ipnat.rules"

Network topography: T1 Router(adtran) -> FreeBSD -> LAN

How do I get ipnat to start automatically at startup? If you have and ideas or suggestions, I would appreciate your input.

Thank you for your time.
 
Compared to /etc/defaults/rc.conf, your ipnat commands look fine. Is there any information in [cmd=]dmesg -a[/cmd] about how the start-up process handles these lines? An alternative would be to move the entire command to /etc/rc.local, which would cause ipnat to be started a little later in the start-up process.
 
TunaGod06 said:
Greetings:

I have a FreeBSD 7.0 box that has been set up to act as gateway/firewall. It has been live for over four months with one major irritation. Every time the box reboots, I have to run ipnat -CF -f /etc/ipnat.rules in order for machines on the network to be able to access the internet.

I have been through the FAQ and docs and have the following entries in the rc.conf

Code: 
ipnat_enable="yes"
ipnat_program="/sbin/ipnat"
ipnat_flags="-CF -f"
ipnat_rules="/etc/ipnat.rules"
Click to expand...

You just need
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

Works fine here.

IMHO the flags -f is not good, it may produce a call like "ipnat -CF -f -f /etc/ipnat.rules"

Check it with /etc/rc.d/ipnat start | stop
 
Oh right, -f points to the ruleset, so those flags are likely to be duplicated indeed.

BTW, since it's already literally in /etc/defaults/rc.conf, you could drop ipnat_rules as well. So all you'd need is:

Code: 
ipnat_enable="YES"
ipnat_flags="-CF"
 
Thank you for your replies to this request.

I ran dmesg -a as suggested and the following might be of interest:

Code: 
IP Filter: v4.1.28 initialized.  Default = pass all, Logging = enabled
Enabling ipfilter.
ioctl(SIOCIPFSET): No such process
Installing NAT rules.
0 entries flushed from NAT table
0 entries flushed from NAT list
net.inet6.ip6.auto_linklocal:
1
 ->
0

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:02:b3:19:d5:ac
        inet 66.114.XXX.XXX netmask 0xfffffff0 broadcast 66.114.XXX.XXX
        media: Ethernet autoselect (10baseT/UTP)
        status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:02:b3:19:d5:ad
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX)
        status: active
filter sync'd
ioctl(SIOCIPFSET): No such process
add net default: gateway 66.114.XXX.XXX
Additional routing options:
 IP gateway=YES
.

Is this correct or should IPFilter be loaded after the ifconfig settings?

And just to verify, here is my complete /etc/rc.conf:

Code: 
# -- sysinstall generated deltas -- # Fri Dec 19 10:44:49 2008
# Created: Fri Dec 19 10:44:49 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

#External Interface Settings
defaultrouter="66.114.XXX.XXX"
gateway_enable="YES"
ifconfig_fxp0="inet 66.114.XXX.XXX netmask 255.255.255.240"

#Interal Interface Settings
hostname="foo.bar.com"
ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0"

linux_enable="YES"
moused_enable="YES"
sshd_enable="YES"

#Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="fxp1"

#Firewall
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags="-D -T ipf_nattable_sz=10009,ipf_nattable_max=300000,fr_tcptimeout=180,fr_tcpclosewait=60,fr_tcphalfclosed=7200,fr_tcpideltimeout=172800 -E"
ipmon_enable="YES"
ipmon_flags="-Ds"
ipnat_enable="YES"
#ipnat_program="/sbin/ipnat"
#ipnat_rules="/etc/ipnat.rules"
ipnat_flags="-CF"

Either way, I added a startup script to /usr/local/etc/rc.d and this fixed my issue:

Code: 
#!/bin/sh
/sbin/ipnat -CF -f /etc/ipnat.rules
 
Apparently:

Code: 
/etc/rc.d/ipfilter
# BEFORE:  netif

Code: 
/etc/rc.d/ipnat
# REQUIRE: ipfilter
# BEFORE:  DAEMON netif

Code: 
/etc/rc.d/ipmon
# REQUIRE: FILESYSTEMS hostname sysctl cleanvar ipfilter

Compared:
Code: 
/etc/rc.d/ipfw
# BEFORE: NETWORKING

Code: 
/etc/rc.d/pf
# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE:  routing
 
DutchDaemon said:
Apparently:

Code: 
/etc/rc.d/ipfilter
# BEFORE:  netif

Code: 
/etc/rc.d/ipnat
# REQUIRE: ipfilter
# BEFORE:  DAEMON netif

Code: 
/etc/rc.d/ipmon
# REQUIRE: FILESYSTEMS hostname sysctl cleanvar ipfilter

Compared:
Code: 
/etc/rc.d/ipfw
# BEFORE: NETWORKING

Code: 
/etc/rc.d/pf
# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE:  routing
Click to expand...

I'm lost :(
 
You must log in or register to reply here.
Back
Top