any reason not to enable IPDIVERT for ipfw module?

Ian Smith smithi at nimnet.asn.au
Sat Nov 1 05:16:12 UTC 2014 

On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote:

 > On Oct 31, 2014 12:12 PM, "John-Mark Gurney" <jmg at funkthat.com> wrote:
 > >
 > > Can any one think of a good reason not to enable IPDIVERT sockets in
 > > the ipfw module?

Yes, two.  Nowadays people are just as or perhaps more likely to use 
in-kernel NAT, loading ipfw_nat.ko instead of ipdivert.ko, and there's 
no good reason to add extra code to ipfw.ko unless it's going to be 
used.  See libalias(3) /MODULAR ARCHITECTURE

Similaly there'd be no reason to include dummynet code unless using it.

 > > And possibly enabling default to accept?   That way you don't have to
 > > go to the console when you load the ipfw module because you forgot to
 > > auto add the accept all rule? :)

That'd reverse some 15+ years of security policy, of having the firewall 
closed until you've loaded your ruleset, to cater to forgetfulness? :)

 > You can change the default rule to accept via loader.conf and it will be
 > set when the module is loaded.
 > 
 > net.inet.IP.fw.default_to_accept or something Luke that.

Yes, net.inet.ip.fw.default_to_accept=1 is a loader tunable, and can be 
set before ipfw is loaded, unlike the net.inet.ip.fw sysctls which don't 
exist until ipfw is loaded.  Or it can be set to 0 to reverse policy if 
kernel has been built with 'options IPFIREWALL_DEFAULT_TO_ACCEPT'.

Normally /etc/rc.d/ipfw takes care of loading ipfw_nat or ipdivert (or 
both if you wanted to use both natd(8) and ipfw_nat for some reason?) 
and/or dummynet, according to the rc.conf variables.

I've added freebsd-ipfw@ to ccs, just because it seems relevant ..

cheers, Ian

 > > something like:
 > > ==== //depot/projects/opencrypto/sys/modules/ipfw/Makefile#3 -
 > /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile ====
 > > --- /tmp/tmp.15774.16   2014-10-31 12:11:56.000000000 -0700
 > > +++ /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile
 >  2014-10-31 12:11:54.000000000 -0700
 > > @@ -16,7 +16,10 @@
 > >  #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
 > >  #
 > >  #If you want it to pass all packets by default
 > > -#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
 > > +CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
 > > +#
 > > +#If you want divert sockets
 > > +CFLAGS+= -DIPDIVERT
 > >  #
 > >
 > >  .include <bsd.kmod.mk>
 > >
 > > --
 > >   John-Mark Gurney                              Voice: +1 415 225 5579
 > >
 > >      "All that I will do, has been done, All that I have, has not."

More information about the freebsd-net mailing list