From pirat@access.inet.co.th  Sun Jan 25 00:02:02 2004
Return-Path: <pirat@access.inet.co.th>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4A36216A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 25 Jan 2004 00:02:02 -0800 (PST)
Received: from access.inet.co.th (access.inet.co.th [203.151.127.252])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6845A43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 25 Jan 2004 00:01:59 -0800 (PST)
	(envelope-from pirat@access.inet.co.th)
Received: from firak.thai-aec.org (TruPPPv92-225-128.inet.co.th [203.151.225.128])
	by access.inet.co.th (8.12.5/8.12.5) with ESMTP id i0P81oG2014731
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 25 Jan 2004 15:01:51 +0700 (ICT)
	(envelope-from pirat@access.inet.co.th)
Received: from firak.thai-aec.org (localhost.thai-aec.org [127.0.0.1])
	by firak.thai-aec.org (8.12.10/8.12.10) with ESMTP id i0P83PgD024233
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 25 Jan 2004 15:03:25 +0700 (ICT)
	(envelope-from pirat@access.inet.co.th)
Received: (from pirat@localhost)
	by firak.thai-aec.org (8.12.10/8.12.10/Submit) id i0P83OcG024232
	for FreeBSD-gnats-submit@freebsd.org; Sun, 25 Jan 2004 15:03:24 +0700 (ICT)
	(envelope-from pirat@access.inet.co.th)
Message-Id: <20040125080324.GA24182@thai-aec.org>
Date: Sun, 25 Jan 2004 15:03:24 +0700
From: pirat <pirat@access.inet.co.th>
To: FreeBSD-gnats-submit@freebsd.org
Subject: adding IPFW2 support to dial-up firewall for 4.x users

>Number:         61873
>Category:       docs
>Synopsis:       adding IPFW2 support to dial-up firewall for 4.x users
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    josef
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 25 00:10:10 PST 2004
>Closed-Date:    Sun Jan 25 13:55:09 PST 2004
>Last-Modified:  Sun Jan 25 13:55:09 PST 2004
>Originator:     User &
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
>Environment:
System: FreeBSD firak.thai-aec.org 4.9-STABLE FreeBSD 4.9-STABLE #4: Sun
+Jan 25 10:40:47 ICT 2004
+root@firak.thai-aec.org:/var/obj/usr/src/sys/Firak i386

>Description:
document only informs 4.x users to add ipfw2 support for kernel.
man ipfw explains that world need to change also in order to use ipfw2.
a few days ago, i added options IPFW2 to my kernel and rebuilt.
ipfw show produce core and i can not use any of such x application as
galeon or mozilla.  my instincs tell me that i need to read manpage
of ipfw and there under section USING IPPF2 IN FreeBSD-STABLE in
the first paragraph says
     ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still
+uses
     ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw
     and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the
     same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf
+before
     a buildworld).

i do not want anyone else to repeat my errors.
sorry for my poor english.
>How-To-Repeat:
>Fix:


--- add-ipfw2 begins here ---
--- article.sgml.orig   Sun Jan 25 12:47:42 2004
+++ article.sgml        Sun Jan 25 14:03:42 2004
@@ -77,9 +77,11 @@
          <note><para>This document assumes that you are running
            &os; 5.X. Users running &os; 4.X will need to
            recompile their kernels with <emphasis>IPFW2</emphasis>
-           support.  &os; 4.X users should consult the &man.ipfw.8;
-           manual page for more information on using IPFW2 on their
-           systems.</para></note>
+           support and rebuild world with <emphasis>IPFW2</emphasis> support by
 setting</para>
+
+            <programlisting>IPFW2=TRUE</programlisting>
+            <para> in <filename>/etc/make.conf</filename>.  &os; 4.X users shou
ld consult the &man.ipfw.8; manual page for more information on
+            using IPFW2 on their systems.</para></note>
        </listitem>
       </varlistentry>

--- add-ipfw2 ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->josef 
Responsible-Changed-By: josef 
Responsible-Changed-When: Sun Jan 25 03:48:57 PST 2004 
Responsible-Changed-Why:  
I'll handle this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61873 

From: Marc Silver <marcs@draenor.org>
To: freebsd-gnats-submit@FreeBSD.org, pirat@access.inet.co.th
Cc:  
Subject: Re: docs/61873: adding IPFW2 support to dial-up firewall for 4.x users
Date: Sun, 25 Jan 2004 19:09:20 +0000

 --BwCQnh7xodEAoBMC
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hi there,
 
 I believe the problem was caused because you didn't correctly read the
 ipfw(8) manual  page.  The man page clearly states what is required to
 in order to get IPFW2 working on -STABLE systems:
 
 	ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE
 	still uses ipfw1 unless the kernel is compiled with options
 	IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with
 	-DIPFW2 and reinstalled (the same effect can be achieved by
 	adding IPFW2=TRUE to /etc/make.conf before a buildworld).
 
 That said, perhaps the article should point users to the relevant
 section of the man page.  I've attached a patch to do just that, as well
 as a slight amendment of the ruleset, as per suggestions from the
 freebsd-ipfw lists.
 
 Cheers,
 Marc
 
 --BwCQnh7xodEAoBMC
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="dialup-firewall.patch"
 
 --- article.sgml-orig	Sun Jan 25 14:21:09 2004
 +++ article.sgml	Sun Jan 25 14:34:36 2004
 @@ -79,7 +79,9 @@
  	    recompile their kernels with <emphasis>IPFW2</emphasis>
  	    support.  &os; 4.X users should consult the &man.ipfw.8;
  	    manual page for more information on using IPFW2 on their
 -	    systems.</para></note>
 +	    systems, and should pay particular attention to the
 +	    <emphasis>USING IPFW2 IN FreeBSD-STABLE</emphasis> 
 +	    section.</para></note>
  	</listitem>
        </varlistentry>
  
 @@ -183,14 +185,32 @@
  # defaults to tun0.
  oif="tun0"
  
 +# Define our inside interface.  This is usually your network
 +# card.  Be sure to change this to match your own network 
 +# interface.
 +iif="fxp0"
 +
  # Force a flushing of the current rules before we reload.
  $fwcmd -f flush
  
 -# Allow all connections that we initiate, and keep their state,
 -# but deny established connections that don't have a dynamic rule.
 +# Check the state of all packets.
  $fwcmd add check-state
 +
 +# Stop spoofing on the outside interface.
 +$fwcmd add deny ip from any to any in via $oif not verrevpath
 +
 +# Allow all connections that we initiate, and keep their state.
 +# but deny established connections that don't have a dynamic rule.
  $fwcmd add allow ip from me to any out via $oif keep-state
  $fwcmd add deny tcp from any to any established in via $oif
 +
 +# Allow all connections within our network.
 +$fwcmd add allow ip from any to any via $iif
 +
 +# Allow all local traffic.
 +$fwcmd add allow all from any to any via lo0
 +$fwcmd add deny all from any to 127.0.0.0/8
 +$fwcmd add deny ip from 127.0.0.0/8 to any
  
  # Allow internet users to connect to the port 22 and 80.
  # This example specifically allows connections to the sshd and a
 
 --BwCQnh7xodEAoBMC--
State-Changed-From-To: open->closed 
State-Changed-By: josef 
State-Changed-When: Sun Jan 25 13:54:49 PST 2004 
State-Changed-Why:  
Committed maintainer's patch. Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61873 
>Unformatted:
