From owner-freebsd-current@FreeBSD.ORG Wed Apr 11 14:29:00 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E498A16A404 for ; Wed, 11 Apr 2007 14:29:00 +0000 (UTC) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from mail-gw4.york.ac.uk (mail-gw4.york.ac.uk [144.32.128.249]) by mx1.freebsd.org (Postfix) with ESMTP id 84C4313C4BD for ; Wed, 11 Apr 2007 14:29:00 +0000 (UTC) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from buffy.york.ac.uk (buffy-128.york.ac.uk [144.32.128.160]) by mail-gw4.york.ac.uk (8.13.6/8.13.6) with ESMTP id l3BESqfn002075; Wed, 11 Apr 2007 15:28:52 +0100 (BST) Received: from buffy.york.ac.uk (localhost [127.0.0.1]) by buffy.york.ac.uk (8.13.8/8.13.6) with ESMTP id l3BESpbQ023159; Wed, 11 Apr 2007 15:28:51 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: (from ga9@localhost) by buffy.york.ac.uk (8.13.8/8.13.6/Submit) id l3BESpcS023158; Wed, 11 Apr 2007 15:28:51 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) X-Authentication-Warning: buffy.york.ac.uk: ga9 set sender to gavin.atkinson@ury.york.ac.uk using -f From: Gavin Atkinson To: Ian FREISLICH In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 11 Apr 2007 15:28:51 +0100 Message-Id: <1176301731.22464.7.camel@buffy.york.ac.uk> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 FreeBSD GNOME Team Port X-York-MailScanner: Found to be clean X-York-MailScanner-From: gavin.atkinson@ury.york.ac.uk Cc: FreeBSD Current Subject: Re: [patch] move ipfw logging to after syslogd X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 14:29:01 -0000 On Wed, 2007-04-11 at 15:49 +0200, Ian FREISLICH wrote: > Hi > > We have a problem that on our busy firewalls, a boot and shutdown > can be delayed by up to 20 minutes by the kernel printing log > messages for denied packets to the console. The problem is that > most kernel activity appears to be suspended by outputting ipfw > logged messages via the serial console (but not even the video > console keeps up). The kernel doesn't even respond to a serial > break. I wonder if a better fix is to ensure syslogd is started before bringing up the network? That way, you won't need this, as before IP addresses are configured, you shouldn't get hit by anything. Of course, this would be an issue for when syslog is set to log remotely, unless that laready has some "caching" mechanism to prevent messages being thrown away. > if [ -r "${firewall_script}" ]; then > if [ -f /etc/rc.d/natd ] ; then > /etc/rc.d/natd start > fi > - /bin/sh "${firewall_script}" > + . "${firewall_script}" > echo 'Firewall rules loaded.' > elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then > echo 'Warning: kernel has firewall functionality, but' \ > @@ -34,13 +40,6 @@ > echo ' All ip services are disabled.' > fi > Be careful, it looks like this unintentionally backs out the 1.15 change. Gavin