Want to help with handbook
Cristian KLEIN
cristi at net.utcluj.ro
Tue Oct 24 23:15:17 UTC 2006
Tom Rhodes wrote:
> On Tue, 24 Oct 2006 23:14:47 +0300
> Cristian KLEIN <cristi at net.utcluj.ro> wrote:
>
>> Tom Rhodes wrote:
>>> On Tue, 24 Oct 2006 10:54:50 +0300
>>> Cristian KLEIN <cristi at net.utcluj.ro> wrote:
>>>
>>>> Doug Barton wrote:
>>>>> Cristian KLEIN wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am sorry if I hit the wrong list, but there was to responsible person
>>>>>> listed in this page:
>>>>>> http://www1.ro.freebsd.org/docproj/current.html#handbooksection
>>>>>>
>>>>>> I would like to contribute to the firewall chapter of the FreeBSD
>>>>>> Handbook. Specifically, I would like to write about dummynet,
>>>>>> mixed-firewall environments (such as IPF + IPFW) and compiling firewalls
>>>>>> as modules. Also, I haven't found any evidence of DEVICE_POLLING and
>>>>>> LARGE_NAT. All this information is very common for "old" FreeBSD users,
>>>>>> but I feel that new users should find out about this information
>>>>>> directly from the handbook.
>>>>>>
>>>>>> I am not a native english speaker, but I think that once I have written
>>>>>> something, it should be easier to correct it, rather that start from
>>>>>> scratch.
>>>>>>
>>>>>> Please tell me whom I should contact. Please CC me, as I am not
>>>>>> subscribed to this list.
>>>>> No need to ask permission, just start writing. :) Once you think it's in
>>>>> shape to review, post a URL with the files to this list. Once it's in
>>>>> shape to submit, you can send it with send-pr, or perhaps someone will
>>>>> offer to commit it directly.
>>>> Thanks. I was also interested whether these topics are of value to the
>>>> handbook. Some of the above-mentioned things are close to "hacking". For
>>>> example, I like to swap ipfw and ipnat in /etc/rc.d/*. Should this be
>>>> mentioned in the handbook too?
>>> Really depends on what you mean by "swap" ?
>>>
>> It means editing the REQUIRES, BEFORE in /etc/rc.d/ipfw. As far as I
>> know, it is not standard FreeBSD practice to do such things.
>
> Oh, we can do that if there is a dependency. I'll need to look
> into the matter further though. Is there an issue where one will
> fail to load if the previous does not?
I haven't really understood your question, but I hope the following info
will answer it.
Originally, ipfw requires netif, while ipf is before netif. This places
ipfw explicitly after ipf. I honestly have absolutely no idea why the
dependencies are like this. I changed /etc/rc.d/ipfw like this:
# REQUIRE: root mountcritical
# BEFORE: ipfilter
And it works for me :D.
Talking about /etc/rc.d/ipfw, when using dummynet and ipfw, both
compiled as modules, /etc/rc.d/ipfw is unable to load "pipe"s in the
ruleset, because there is no place dummynet is loaded. On the contrary,
loading dummynet also loads ipfw.
Few people encounter this problem, as dummynet is usually compiled into
the kernel. I solved the problem by changing "kldload ipfw" with
"kldload dummynet" in /etc/rc.d/ipfw. I wouldn't know a general way of
solving this problem. Perhaps ipfw should load dummynet when
encountaring a "pipe" rule?
More information about the freebsd-doc
mailing list