Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Starting ipfw without captive portal service

    Firewalling
    2
    7
    3051
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rjcrowder last edited by

      Anyone no how to start ipfw without starting the captive portal? So far I've done the following…

      /sbin/kldload ipfw
              /sbin/kldload dummynet
              $script_to_add_rules > /dev/null
              /sbin/sysctl net.link.ether.ipfw=1

      BUT.... when I do "ipfw show" I'm not seeing any packets to any of my rules. I've also tried "/etc/rc.d/ipfw onestart" with the same results.

      On the other hand, if I start the captive portal, then do "ipfw -f flush" and add my rules, everything works fine and my rules see traffic! What is the captive portal startup doing different? How can I start ipfw, add rules and see them being invoked - without enabling captive portal?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        just create a rule on floating tab, IIRC it will enable ipfw.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • R
          rjcrowder last edited by

          @marcelloc:

          just create a rule on floating tab, IIRC it will enable ipfw.

          I tried that (actually tried it again- had already tried it last night) and still no luck… Do I have to set a specific option on the rule?

          1 Reply Last reply Reply Quote 0
          • marcelloc
            marcelloc last edited by

            Not working for me too, take a look on how captive portal enables ipfw and try to do it on script.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • R
              rjcrowder last edited by

              @marcelloc:

              Not working for me too, take a look on how captive portal enables ipfw and try to do it on script.

              First of all… thanks for looking at it. I didn't check, but I suppose the floating rules must be using PF now.

              Anyway, your suggestion is exactly where I started. I found the captive portal screen code and was looking at it... However, I must be missing something. For example, I can't figure out where it makes startup changes. It doesn't create a script in /usr/local/etc/rc.d - so I'm trying to figure out how it is getting ipfw (and any sysctl variables it sets) into the box startup sequence? Is there a generic pfsense startup script of some kind that looks for services that are enabled? Sorry to be so ignorant on this, but any clues you could give me on where to look would be appreciated.

              Thanks again!

              1 Reply Last reply Reply Quote 0
              • marcelloc
                marcelloc last edited by

                check on /etc/inc folder. Most config scripts are on inc files.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • R
                  rjcrowder last edited by

                  So… I did some more digging in the .inc files (thanks marcelloc) along with some comparisons of what happens when the captive portal turns on ipfw. I think I'm going to give up on this, but I thought I'd document what I found in case anyone else ever needs to know...

                  1.) pfsense has a patched version of ifconfig that allows you to add and remove a flag called IPFW_FILTER from an interface. For example /sbin/ifconfig re1 ipfwfilter adds the flag. Not sure what the flag controls, but it seems to be necessary to see any traffic on ipfw from the interface.
                  2.) Captive portal startup does the following
                      a - loads the ipfw kernel module
                      b - adds the IPFW_FILTER flag to the inbound interface
                      c - sets sysctl variable net.link.ether.ipfw=1
                      d - changes a couple of other sysctl variables... they are:
                            net.inet.ip.pfil.inbound="pf, ipfw*"
                            net.inet.ip.pfil.outbound="pf, ipfw*"
                      e - adds another interface called "ipfw0" (not sure what it is used for...)
                      f - starts an instance of the web server listening on 8000 (irrelevant to getting ipwf to work)

                  I thought I could get ipfw filtering to work by doing 2a through 2d... but I'm still not fully successful. Basically, I got to the point where ipfw is seeing traffic. However it doesn't appear that it is seeing any layer 2 traffic (only layer 3)... so... I've still got to be missing something that the captive portal is doing. Oh well - spent too much time on it already!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post