From nobody  Sat Sep 19 11:00:52 1998
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA27961;
          Sat, 19 Sep 1998 11:00:52 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199809191800.LAA27961@hub.freebsd.org>
Date: Sat, 19 Sep 1998 11:00:52 -0700 (PDT)
From: igor@zynaps.ru
To: freebsd-gnats-submit@freebsd.org
Subject: if we enable firewall and natd we losing connectivity after rc.firewall and before natd start
X-Send-Pr-Version: www-1.0

>Number:         7989
>Category:       conf
>Synopsis:       if we enable firewall and natd we losing connectivity after rc.firewall and before natd start
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 19 11:10:01 PDT 1998
>Closed-Date:    Fri Jun 4 07:08:49 PDT 1999
>Last-Modified:  Fri Jun  4 07:15:08 PDT 1999
>Originator:     Igor Vinokurov
>Release:        2.2.7-RELEASE FreeBSD
>Organization:
does not matter
>Environment:
FreeBSD daemon.rtsnet.ru 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0: Sat Sep 19 16:44:41 MSD 1998     root@daemon.rtsnet.ru:/usr/src/sys/compile/DAEMON  i386

>Description:
if user enable firewall and natd system losing connectivity after
exec rc.firewall and before natd start.

Let's look:

/etc/rc.firewall:

...

if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
        $fwcmd add divert natd all from any to any via ${natd_interface}
fi

...

but natd is not started yet!

after rc.firewall rc.network try to start many daemon and
all these use network for initialize

sorry for my English :)

>How-To-Repeat:
you know :)

>Fix:
May be we should start natd just after exec rc.firewall?

>Release-Note:
>Audit-Trail:

From: Drew Derbyshire <ahd@kew.com>
To: freebsd-gnats-submit@freebsd.org
Cc: igor@zynaps.ru
Subject: Re: conf/7989: if we enable firewall and natd we losing connectivity after rc.firewall and before natd start
Date: Tue, 22 Sep 1998 22:00:08 -0400 (EDT)

 The following patch corrects the problem of daemons (in particular,
 ntpdate) not having early access the network through natd.  natd
 is now invoked as the first daemon before named and ntpdate.  As
 natd now precedes named, natd can only use host names in /etc/hosts.
 (Since most invocations of natd use no host names at all and ntpdate
 always does, this is a reasonable trade-off.)
 
 I'm of the opinion that the entire natd/named/ipfw interaction
 needs to be revamped to reduce the data passed through natd (data
 between remote systems and high volume local ports such as SMTP
 and HTTP should not get a free trip through natd) and to allow most
 rc.firewall rules to use named (by opening the firewall early to
 port 53 and then starting named), but that would require a full
 rework of rc.firewall and rc.network, and well is beyond the scope
 of this patch...
 
 *** rc.network.old	Tue Sep 22 21:22:14 1998
 --- rc.network	Tue Sep 22 21:23:30 1998
 ***************
 *** 155,160 ****
 --- 155,166 ----
   
   network_pass2() {
       echo -n 'Doing additional network setup:'
 + 
 +     # Network Address Translation daemon
 +     if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" -a "X${firewall_enable}" = X"YES" ]; then
 +             echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
 +     fi
 + 
       if [ "X${named_enable}" = X"YES" ]; then
   	    echo -n ' named';		${named_program-"named"} ${named_flags}
       fi
 ***************
 *** 255,265 ****
       # IP multicast routing daemon
       if [ "X${mrouted_enable}" = X"YES" ]; then
   	    echo -n ' mrouted'; mrouted ${mrouted_flags}
 -     fi
 - 
 -     # Network Address Translation daemon
 -     if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" -a "X${firewall_enable}" = X"YES" ]; then
 -             echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
       fi
   
       echo '.'
 --- 261,266 ----
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Fri Jun 4 07:08:49 PDT 1999 
State-Changed-Why:  
No active development on RELENG_2_2 branch. 
3.2-STABLE and 4.0-CURRENT do not have this problem. 
``natd'' is now started right after ``ipfw'' in network_pass1(). 
>Unformatted:
