Problem: ipf - /dev/kmem errors

Dave Patterson dave at rocsculptr.net
Tue Aug 10 15:16:24 PDT 2004 

> owner-freebsd-questions at freebsd.org wrote:
>> Hello everyone,
>>
>> I'm currently using a generic pc running, that is acting as a
> router.
>> The routing works fine, but ipfilter does not.
>> Pentium III (801.82-MHz 686-class CPU)
>> memory  = (128 MB)
>>
>> 5.2-CURRENT #1
>>
>> here is part of my kernel config file :
>>> --snip--<
>> # IPF stuff
>> options         PFIL_HOOKS              # pfil(9) framework
>> options         IPFILTER
>> options         IPFILTER_LOG
>> options         INVARIANTS              #Enable calls of extra
> sanity
>> checking
>>> --snip--<
>>
>> the kernel seems to load the module {from dmesg}
>> IP Filter: v3.4.35 initialized.  Default = pass all, Logging =
> enabled
>>
>> yet when I try and verify which rulesets are loaded, I get kmem
>> errors.
>>
>> # ipfstat
>> ioctl(SIOCGETFS): Invalid argument
>> openkmem:open: No such file or directory
>>
>>
>>
>> I did read that in 5.x /dev/kmem was changed/removed for security,
> if
>> thats the case what is the facility that ipfilter uses ?
>>
>> thanks for any help,
>> D
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>
> Just because you compiled ipfilter into the kernel does not mean
> that you have enabled it to start.
>
> You need the follow statements in /etc/rc.conf to activate IPF at
> boot time.
>
> ipfilter_enable="YES"             # Start ipf firewall
> ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
>                                   # IE: not script file with rules
> in it
>
> ipmon_enable="YES"                # Start IP monitor log
> ipmon_flags="-Ds"                 # D = start as daemon
>                                   # s = log to syslog
>                                   # v = log tcp window, ack, seq
>                                   # n = map IP & port to names
>
>
>
> If you have a LAN behind this firewall that uses the reserved
> private IP address ranges, then you need to add the following to
> enable NAT functionality.
>
> gateway_enable="YES"              # Enable as LAN gateway
> ipnat_enable="YES"                # Start ipnat function
> ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat
>
Thanks for the reminder, I neglected to include that in my original email.
 I do have the above mentioned options in my /etc/rc.conf:
# ---------- ipf stuff ----------
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf/ipf.conf"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipf/ipnat.conf"
ipmon_enable="YES"
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds"               # typically "-Ds" or "-D /var/log/ipflog"
# ---------- end ipf stuff ----------

I also checked the kernel to see which modules where loaded currently :
# kldstat -v
Id Refs Address    Size     Name
 1   11 0xc0400000 2f65bc   kernel
        Contains modules:
                Id Name
                 1 IP Filter: v3.4.35
                 2 isa/ata
                 ....
                 ...
Im still getting same kmem error tho,

# ipfstat
ioctl(SIOCGETFS): Invalid argument
openkmem:open: No such file or directory

any Idea why I don't have the device /dev/kmem ?
# ls /dev/k*
/dev/kbd0@ /dev/klog

thanks again,
-D

More information about the freebsd-questions mailing list