Date: Mon, 9 Feb 2004 20:23:47 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: "Gogh, Ruben van" <R.v.Gogh@kappe-int.com> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny Message-ID: <20040209092347.GA43158@server.vk2pj.dyndns.org> In-Reply-To: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> References: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 09, 2004 at 08:32:36AM +0100, Gogh, Ruben van wrote: >Last friday I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to >default accept in my kernel config file. >config & make weren't complaining so, installed the kernel, reboot and there >it was: >>IP packet filtering initialized, divert disabled, rule-based forwarding >enabled, default to deny, logging disabled >Output of ipfw show: >65535 0 0 deny ip from any to any This means IPFIREWALL_DEFAULT_TO_ACCEPT is not defined when /sys/netinet/ip_fw.c is compiled. Do you have "options INCLUDE_CONFIG_FILE"? If so, does "options IPFIREWALL_DEFAULT_TO_ACCEPT" show up in your kernel? Does /usr/obj/usr/src/sys/<<KERNELNAME>>/opt_ipfw.h or /sys/compile/<<KERNELNAME>>/opt_ipfw.h include the lines: #define IPFIREWALL 1 #define IPFIREWALL_DEFAULT_TO_ACCEPT 1 Does the kernelname in your dmesg.boot match your expected config? Have you wiped /usr/obj[/usr/src/sys/<<KERNELNAME>>] or /sys/compile and re-built the kernel? Have you tried wiping /usr/src[/sys], re-extracting/cvsuping and re-building? >THERE are no such thing as settings in rc.conf like firewall_type="closed" >or what so ever. When I boot up with the older kernel it use default to >accept... What version is this kernel? >I triple checked the config file for the right settings. And, as I did >config && make depend && make install the system >wasn't complaing about a thing. I gather from this that you are using the "old" kernel build strategy. You are aware that this is missing a step: Neither "make depend" nor "make install" actually compiles the kernel. You need to do a "make" in between. Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040209092347.GA43158>