Starting ipfw without captive portal service



  • Anyone no how to start ipfw without starting the captive portal? So far I've done the following…

    /sbin/kldload ipfw
            /sbin/kldload dummynet
            $script_to_add_rules > /dev/null
            /sbin/sysctl net.link.ether.ipfw=1

    BUT.... when I do "ipfw show" I'm not seeing any packets to any of my rules. I've also tried "/etc/rc.d/ipfw onestart" with the same results.

    On the other hand, if I start the captive portal, then do "ipfw -f flush" and add my rules, everything works fine and my rules see traffic! What is the captive portal startup doing different? How can I start ipfw, add rules and see them being invoked - without enabling captive portal?

    Thanks in advance!



  • just create a rule on floating tab, IIRC it will enable ipfw.



  • @marcelloc:

    just create a rule on floating tab, IIRC it will enable ipfw.

    I tried that (actually tried it again- had already tried it last night) and still no luck… Do I have to set a specific option on the rule?



  • Not working for me too, take a look on how captive portal enables ipfw and try to do it on script.



  • @marcelloc:

    Not working for me too, take a look on how captive portal enables ipfw and try to do it on script.

    First of all… thanks for looking at it. I didn't check, but I suppose the floating rules must be using PF now.

    Anyway, your suggestion is exactly where I started. I found the captive portal screen code and was looking at it... However, I must be missing something. For example, I can't figure out where it makes startup changes. It doesn't create a script in /usr/local/etc/rc.d - so I'm trying to figure out how it is getting ipfw (and any sysctl variables it sets) into the box startup sequence? Is there a generic pfsense startup script of some kind that looks for services that are enabled? Sorry to be so ignorant on this, but any clues you could give me on where to look would be appreciated.

    Thanks again!



  • check on /etc/inc folder. Most config scripts are on inc files.



  • So… I did some more digging in the .inc files (thanks marcelloc) along with some comparisons of what happens when the captive portal turns on ipfw. I think I'm going to give up on this, but I thought I'd document what I found in case anyone else ever needs to know...

    1.) pfsense has a patched version of ifconfig that allows you to add and remove a flag called IPFW_FILTER from an interface. For example /sbin/ifconfig re1 ipfwfilter adds the flag. Not sure what the flag controls, but it seems to be necessary to see any traffic on ipfw from the interface.
    2.) Captive portal startup does the following
        a - loads the ipfw kernel module
        b - adds the IPFW_FILTER flag to the inbound interface
        c - sets sysctl variable net.link.ether.ipfw=1
        d - changes a couple of other sysctl variables... they are:
              net.inet.ip.pfil.inbound="pf, ipfw*"
              net.inet.ip.pfil.outbound="pf, ipfw*"
        e - adds another interface called "ipfw0" (not sure what it is used for...)
        f - starts an instance of the web server listening on 8000 (irrelevant to getting ipwf to work)

    I thought I could get ipfw filtering to work by doing 2a through 2d... but I'm still not fully successful. Basically, I got to the point where ipfw is seeing traffic. However it doesn't appear that it is seeing any layer 2 traffic (only layer 3)... so... I've still got to be missing something that the captive portal is doing. Oh well - spent too much time on it already!


Locked