Date: Tue, 2 Nov 2004 12:46:16 -0600 (CST) From: <lreid@a.cs.okstate.edu> To: freebsd-questions@freebsd.org Subject: ipfw/dhclient conundrum Message-ID: <20041102184616.880BDA0686@csa.cs.okstate.edu>
next in thread | raw e-mail | index | archive | help
I have a circular conundrum involving the sequence of boot events that I'm trying to solve, and I'd like to know if any other users have found a solution to this, or what some suggestions may be. First, I'd like to note that I've been using 4-STABLE for a while, and I only recently started running 5-STABLE after my disk cratered. So I am still getting used to some of the new features of the system. The box in question uses dhclient to get an IP lease for the external link. The box must forward LAN traffic, and have a decent amount of protection, so ipfw natd and dhcpd services are also enabled. The conundrum I have is this: /etc/rc.d/ipfw needs to be run after /etc/rc.d/dhclient. This is due to the fact that I do not have a static IP lease, and my firewall script determines the external interface's ip address with ifconfig. However, if /etc/rc.d/dhclient runs before /etc/rc.d/ipfw, with the firewall at default-to-deny and no rules added to pass dhcp autoconfigure traffic, dhclient cannot acquire a lease. But to run the firewall script, dhclient needs to have acquired a lease so the rules make sense. But to run dhclient, ipfw needs to have run... et cetera ad nauseum. My interim fix is to add net.inet.ip.fw.enable=3D0 to sysctl.conf and remove the requirement of ipfw from the dhclient rc script. When rc takes off at boot time, the firewall is disabled and dhclient runs before ipfw. When ipfw runs, it enables the firewall sysctl and executes my firewall script, which gets sensible results since a lease for the external interface has been acquired. But then something screwy happens... sometime after netoptions runs (I'd include more detail if I had it), net.inet.ip.fw.enable is set back to zero... so my "fix" still requires operator intervention for the firewall and address translation to be enabled. I'd like to know a more sane way of correcting this behavior.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041102184616.880BDA0686>