Date: Tue, 4 Dec 2001 12:21:12 +0000 From: Neil Darlow <neil@darlow.co.uk> To: freebsd-questions@freebsd.org Subject: ipfw rules lost Message-ID: <200112041221.fB4CLDM01931@router.darlow.co.uk>
next in thread | raw e-mail | index | archive | help
Hi,
I am running FreeBSD-4.4-RELENG as a cable router/firewall using ipfw and the
simple ruleset.
This morning when attempting to login remotely via SSH I was locked out.
Attaching a console and examining /var/log/messages showed the following
messages:
Dec 4 05:38:20 router natd[273]: failed to write packet back (No route to
host)
Dec 4 05:38:22 router natd[273]: failed to write packet back (No route to
host)
Dec 4 05:38:22 router dhclient: New IP Address(rl0): 213.107.35.101
Dec 4 05:38:22 router dhclient: New Subnet Mask (rl0): 255.255.255.0
Dec 4 05:38:22 router dhclient: New Broadcast Address(rl0): 255.255.255.255
Dec 4 05:38:22 router dhclient: New Routers: 213.107.35.254
Dec 4 05:51:12 router ntpd[299]: sendto(130.159.196.118): Permission denied
Dec 4 07:38:22 router dhclient: send_packet: Permission denied
I use the simple ruleset of /etc/rc.firewall with overridden interface
arguments provided by a dhclient-exit-hooks script. The override file had
been updated at 05:38:22 and it's contents were as follows:
# Sourced by /etc/rc.firewall (simple)
oif=rl0
onet=213.107.35.0
omask=255.255.255.0
oip=213.107.35.101
Moving on, I decided to list the current contents of the ipfw ruleset and was
surprised to see the following:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65535 deny ip from any to any
This looks like the closed ruleset in /etc/rc.firewall. So for some reason
the simple ruleset had been replaced by the closed ruleset. My
dhclient-exit-hooks script contains the following logic to update the ipfw
rules:
create_new_network() {
local new_ip_address new_subnet_mask
unset new_network
while [ "${new_subnet_mask%.0}" != "$new_subnet_mask" ]
do
new_ip_address=${new_ip_address%.*}
new_subnet_mask=${new_subnet_mask%.0}
new_network=$new_network.0
done
new_network=$new_ip_address$new_network
new_network=${new_network#.}
new_network=${new_network%.255.255.255.255}
}
output_new_settings() {
echo "# Sourced by /etc/rc.firewall (simple)" > /var/db/dhclient.override
echo "oif=$interface" >> /var/db/dhclient.override
echo "onet=$new_network" >> /var/db/dhclient.override
echo "omask=$new_subnet_mask" >> /var/db/dhclient.override
echo "oip=$new_ip_address" >> /var/db/dhclient.override
}
case "$reason" in
BOUND|REBOOT)
create_new_network
output_new_settings
. /etc/rc.firewall
;;
REBIND|RENEW)
if [ "$new_ip_address" != "$old_ip_address" -o \
"$new_subnet_mask" != "$old_subnet_mask" ]
then
create_new_network
output_new_settings
. /etc/rc.firewall
fi
;;
*)
esac
This scheme has been working ok until today and I have tested it across IP
address changes. Can anyone suggest where I might be going wrong or what
might have caused this unexpected failure?
Regards,
Neil Darlow M.Sc.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112041221.fB4CLDM01931>