Comments imbedded within...
"J.C. Roberts" wrote:
> >>I'm having some problems with my network. My outside interface is xl0
> >>and my interface for my lan is rl0. I use NAT to get my network on
> >>the net.
> >>
> >>When my ipf.rules gets loaded at boottime I get several:
> >>
> >>"bad host (xl0)
> >>can't resolve hostname: xl0"
> >>
> >>my ipf.rules is:
> >>[cut]
> >>pass in from any to any
> >>pass out from any to any
> >>pass out quick on xl0 proto udp from any to any port 21000 >< 21400
> >>pass out on xl0 proto icmp from any to any keep state
> >>
> >>block in log quick on xl0 proto tcp from any to xl0/32 port = 6000
^^^
Right there. _/
(I think)
First, from the error message, "bad host", you know we are trying to
resolve a host name (and failing). The host name it is trying to
resolve is 'xl0', it tells us that, too.
ipf is trying to interpret xl0 as a host name, not an interface. The
resolver isn't yet active, so this won't work. Not that you really
want the IP of the host on the internet called 'xl0' to be inserted
right there, anyway...
> >>[cut]
> >>
> >
[snip]
>
> I found a work around. It probably isn't the best or even correct way
> to deal with it but it works.
No, I don't think it works the way you expect...
> In the /etc/netstart file you'll find
> the following:
>
> ------------------------------------------------------------------
> # Configure the IP filter before configuring network interfaces
> if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
> echo 'configuring IP filter'
> ipf -Fa -f ${ipfilter_rules}
> else
> ipfilter=NO
> fi
> ------------------------------------------------------------------
>
> If you _COPY_ this section to the end of the file, it runs the ipf
> initialization a second time after the "hostnames" or better said
> device names have been set up. I doubt you want to _MOVE_ the section
> to the end because then your interfaces would be unprotected as they
> initialize. You'll still see all the error messages but it will work.
>
> If there is a better way to do this, I hope someone chimes in with it
> but until then, this will work.
All you have done is squash an error message, you don't have it
working, unless you are in a situation where xl0 would happen to
resolve to your machine's address on the NIC you are after (which CAN
happen, depending upon how the resolver is set up). A (the?) proper
solution is to put the IP address of xl0 where you have xl0 in your
ipf.rules file.
Also, if you do an:
ipf -Fa -vf /etc/ipf.rules
you will get a verbose (the -v) loading of your rules, might give you
a better idea how things are actually being interpreted.
Nick.
--
http://www.holland-consulting.net/
|