IPF in NetBSD 5.1-RC3

To: tech-net <tech-net%netbsd.org@localhost>
Subject: IPF in NetBSD 5.1-RC3
From: Michael Richardson <mcr%sandelman.ca@localhost>
Date: Sun, 04 Jul 2010 21:30:31 -0400

I've just upgraded my firewall from NetBSD 1.6 to 5.1-RC3.
(Was going to be 5.0, but I thought to try 5.1.  The problem with NetBSD
is that it's too reliable, so... you never upgrade... I'm actually
replacing 250W hardware with 60W hardware... for power consumption reasons)

Most things are fine, except for the ipf rules!

bud-[/etc] root 206 #/etc/rc.d/ipfilter start
Enabling ipfilter.
229:ioctl(add/insert rule): No such process

bud-[/etc] root 207 #sed -n 229p /etc/ipf.conf
pass in quick proto udp from any to any port = 500  group 200   

If I comment out that line, then it's the next line.
(At one point ipf's line numbers were wrong, I think that got fixed)

[Obviously, this line lets IKE packets flow...]

This rule is the first rule that uses a group.  
The group was declared a few lines earlier in a "head 200". 
I basically divide my network policy into a group per interface.

I read through the man pages, and I don't see anything obvious.

I wish ioctl's could be more descriptive.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr%sandelman.ottawa.on.ca@localhost http://www.sandelman.ottawa.on.ca/ 
|device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
                       then sign the petition.

Follow-Ups:
- Re: IPF in NetBSD 5.1-RC3
  - From: Michael Richardson

Prev by Date: Re: getnameinfo extra len checking
Next by Date: Re: IPF in NetBSD 5.1-RC3
Previous by Thread: why not remove AF_LOCAL sockets on last close?
Next by Thread: Re: IPF in NetBSD 5.1-RC3
Indexes:

Home | Main Index | Thread Index | Old Index