| View previous topic :: View next topic |
| Author |
Message |
oldefortran
l33t
Joined: 28 Feb 2004
Posts: 652
|
 Posted: Tue Jun 29, 2004 1:17 pm Post subject: what happend to ipforwarding ? |
 |
|
Hello.
When I just installed the latest iptables ebuild, I noticed that there were some changes in the config files.
It seems like ipforwarding is disapearing. Can someone explain why?
The diffs are here below:
------------------------------------------
diff ._cfg0000_iptables iptables
0a1
>
4a6,9
> # Change to "yes" to enable forwarding support in the kernel. Please
> # note that this will override any setting placed in /etc/sysctl.conf.
> ENABLE_FORWARDING_IPv4="no"
>
root@haha conf.d # cd ..
root@haha etc # cd init.d/
root@haha init.d # diff ._cfg0000_iptables iptables
2,4c2,5
< # Copyright 1999-2004 Gentoo Technologies, Inc.
< # Distributed under the terms of the GNU General Public License v2
< # $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.2.9-r1.init,v 1.1 2004/04/25 16:30:36 aliz Exp $
---
> # Copyright 1999-2003 Gentoo Technologies, Inc.
> # Distributed under the terms of the GNU General Public License, v2 or
> # later
> # $Header: /home/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.3 2004/01/26 10:40:42 aliz Exp $
9,10c10
< before net
< need logger
---
> need logger net
26c26,32
< /sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
---
> /sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
>
> if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then
> einfo "Enabling forwarding for ipv4"
> echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
> fi
>
31a38,42
> # set sane defaults that disable forwarding
> if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then
> echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
> fi
>
35c46
<
---
> |
|
| Back to top |
|
 |
db_404
Guru
Joined: 05 Dec 2002
Posts: 336
|
| Posted: Tue Jun 29, 2004 3:40 pm Post subject: |
|
|
| I would assume it's defaulted to off for security reasons. After all many people run a firewall without needing forwarding (e.g directly connected box). Defaulting to off is more in keeping with the 'secure by default' philosophy - that way you have to turn it on, and should therefore be aware of any security implications. |
|
| Back to top |
|
|
DooMi
Tux's lil' helper
Joined: 03 May 2004
Posts: 103
Location: /dev/null
|
| Posted: Tue Jun 29, 2004 4:27 pm Post subject: |
|
|
| Code: | pkg_postinst() {
einfo "This package now includes an initscript which loads and saves"
einfo "rules stored in /var/lib/iptables/rules-save"
use ipv6 >/dev/null && einfo "and /var/lib/ip6tables/rules-save"
einfo "This location can be changed in /etc/conf.d/iptables"
einfo ""
einfo "If you are using the iptables initsscript you should save your"
einfo "rules using the new iptables version before rebooting."
einfo ""
einfo "If you are uprading to a >=2.4.21 kernel you may need to rebuild"
einfo "iptables."
einfo ""
ewarn "!!! ipforwarding is now not a part of the iptables initscripts."
einfo "Until a more permanent solution is implemented adding the following"
einfo "to /etc/conf.d/local.start will enable ipforwarding at bootup:"
einfo " echo \"1\" > /proc/sys/net/ipv4/conf/all/forwarding"
if useq ipv6; then
einfo "and/or"
einfo " echo \"1\" > /proc/sys/net/ipv6/conf/all/forwarding"
einfo "for ipv6."
fi
} |
you should read the output and the end of an emerge 
_________________
cyrex ~ # ./vpenis
--- Weeee! Congrats! Your VPenis is actually 356.8 cm long --- |
|
| Back to top |
|
|
oldefortran
l33t
Joined: 28 Feb 2004
Posts: 652
|
| Posted: Tue Jun 29, 2004 5:26 pm Post subject: |
|
|
| DooMi wrote: |
you should read the output and the end of an emerge |
Yes, I certainly should, but I usually just
emerge -uDv looooong list of packages
and then switch to something more fun (like playing angband) instead of watching all the messages. |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Wed Jun 30, 2004 2:17 am Post subject: |
|
|
Would the ip forwarding being off be the reason that suddenly my box doesnt act as a router anymore?
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
Lajasha
Veteran
Joined: 17 Mar 2004
Posts: 1040
Location: Vibe Central
|
| Posted: Wed Jun 30, 2004 2:40 am Post subject: |
|
|
| sdibb wrote: | | Would the ip forwarding being off be the reason that suddenly my box doesnt act as a router anymore? |
*Shakes the magic 8-ball
_________________
Come and play in my land |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Wed Jun 30, 2004 5:14 am Post subject: |
|
|
What I dont understand (among a great many things) is this:
I even edited that little proc setting the ebuild said to change, and it still didn't work... so I fired up my old firewall[1] and that one worked fine. I ran iptables-save > /var/lib/iptables/rules-save and restarted /etc/init.d/iptables and it still wouldnt work. The iptables -L showed the *same* output between the two, but it would work with the other firewall 100% of the time, and never with just iptables alone.
Weerd.
[1] http://projectfiles.com/firewall/
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Wed Jun 30, 2004 5:17 am Post subject: |
|
|
Ok, nevermind, I'm a halfwit.
I saw another post that mentioned someone installed the 2.6.7 linux-headers. So I did that, and now its working.
Coolies.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
|
Networking & Security
