Discussion:
IPF in NetBSD 5.1-RC3
(too old to reply)
Michael Richardson
2010-07-05 01:30:31 UTC
Permalink
I've just upgraded my firewall from NetBSD 1.6 to 5.1-RC3.
(Was going to be 5.0, but I thought to try 5.1. The problem with NetBSD
is that it's too reliable, so... you never upgrade... I'm actually
replacing 250W hardware with 60W hardware... for power consumption reasons)

Most things are fine, except for the ipf rules!

bud-[/etc] root 206 #/etc/rc.d/ipfilter start
Enabling ipfilter.
229:ioctl(add/insert rule): No such process

bud-[/etc] root 207 #sed -n 229p /etc/ipf.conf
pass in quick proto udp from any to any port = 500 group 200

If I comment out that line, then it's the next line.
(At one point ipf's line numbers were wrong, I think that got fixed)

[Obviously, this line lets IKE packets flow...]

This rule is the first rule that uses a group.
The group was declared a few lines earlier in a "head 200".
I basically divide my network policy into a group per interface.

I read through the man pages, and I don't see anything obvious.

I wish ioctl's could be more descriptive.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] ***@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video

then sign the petition.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Michael Richardson
2010-07-05 01:44:58 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael> bud-[/etc] root 206 #/etc/rc.d/ipfilter start
Michael> Enabling ipfilter.
Michael> 229:ioctl(add/insert rule): No such process

Michael> bud-[/etc] root 207 #sed -n 229p /etc/ipf.conf
Michael> pass in quick proto udp from any to any port = 500 group 200

Guessing at either an off-by-one in the error message (previous line is
a comment), or that the previous line had failed, actually, I found the
previous line was:

pass out quick from 209.87.252.188 to any group 100

(I lied about it being the first usage of group. Ooops).
Commenting out this line, which was a temporary item anyway, and it
works.

A bit of a mystery. I'd be happy to send the original ipf.conf to
someone if they want, but I'd rather not post it to a public list.

- --
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] ***@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video http://youtu.be/kzx1ycLXQSE
then sign the petition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBTDE5GYCLcPvd0N1lAQLyuwf9EkkHSCYgd55nt1qhGAVenxwXXhgZ7Ydm
hv6ZXkzcW9piFENeOjt6vHRbyp+4IHHmz0S1FDut4RuR2XYP3V6Gb+6UQdjnsJgG
wF1VjxJAY59anC9QE5SqWrl3JZRaBkHMbxDjlMGek4JtCzdT+8qu69T9e7744DWX
ycmfJ1I2QMAwDNoBqXo4loOKMzwhDtJjntNfaPbkcBIkoA4ao6E3x7OmindlPeMH
THyU0dDVaLNPZ4XzE6poYS9/nxOYYopQE6nY/1fjmLOxAp7Qj5JPsncOHICspwOq
jMT0TTdX91lUc8YD36i4P7Ol7j+gk+Yn5FdoeVtX7VhdPs5QlgTxdA==
=yTrE
-----END PGP SIGNATURE-----

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...