Date: Tue, 4 Dec 2001 12:21:12 +0000 From: Neil Darlow <neil@darlow.co.uk> To: freebsd-questions@freebsd.org Subject: ipfw rules lost Message-ID: <200112041221.fB4CLDM01931@router.darlow.co.uk>
next in thread | raw e-mail | index | archive | help
Hi, I am running FreeBSD-4.4-RELENG as a cable router/firewall using ipfw and the simple ruleset. This morning when attempting to login remotely via SSH I was locked out. Attaching a console and examining /var/log/messages showed the following messages: Dec 4 05:38:20 router natd[273]: failed to write packet back (No route to host) Dec 4 05:38:22 router natd[273]: failed to write packet back (No route to host) Dec 4 05:38:22 router dhclient: New IP Address(rl0): 213.107.35.101 Dec 4 05:38:22 router dhclient: New Subnet Mask (rl0): 255.255.255.0 Dec 4 05:38:22 router dhclient: New Broadcast Address(rl0): 255.255.255.255 Dec 4 05:38:22 router dhclient: New Routers: 213.107.35.254 Dec 4 05:51:12 router ntpd[299]: sendto(130.159.196.118): Permission denied Dec 4 07:38:22 router dhclient: send_packet: Permission denied I use the simple ruleset of /etc/rc.firewall with overridden interface arguments provided by a dhclient-exit-hooks script. The override file had been updated at 05:38:22 and it's contents were as follows: # Sourced by /etc/rc.firewall (simple) oif=rl0 onet=213.107.35.0 omask=255.255.255.0 oip=213.107.35.101 Moving on, I decided to list the current contents of the ipfw ruleset and was surprised to see the following: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65535 deny ip from any to any This looks like the closed ruleset in /etc/rc.firewall. So for some reason the simple ruleset had been replaced by the closed ruleset. My dhclient-exit-hooks script contains the following logic to update the ipfw rules: create_new_network() { local new_ip_address new_subnet_mask unset new_network while [ "${new_subnet_mask%.0}" != "$new_subnet_mask" ] do new_ip_address=${new_ip_address%.*} new_subnet_mask=${new_subnet_mask%.0} new_network=$new_network.0 done new_network=$new_ip_address$new_network new_network=${new_network#.} new_network=${new_network%.255.255.255.255} } output_new_settings() { echo "# Sourced by /etc/rc.firewall (simple)" > /var/db/dhclient.override echo "oif=$interface" >> /var/db/dhclient.override echo "onet=$new_network" >> /var/db/dhclient.override echo "omask=$new_subnet_mask" >> /var/db/dhclient.override echo "oip=$new_ip_address" >> /var/db/dhclient.override } case "$reason" in BOUND|REBOOT) create_new_network output_new_settings . /etc/rc.firewall ;; REBIND|RENEW) if [ "$new_ip_address" != "$old_ip_address" -o \ "$new_subnet_mask" != "$old_subnet_mask" ] then create_new_network output_new_settings . /etc/rc.firewall fi ;; *) esac This scheme has been working ok until today and I have tested it across IP address changes. Can anyone suggest where I might be going wrong or what might have caused this unexpected failure? Regards, Neil Darlow M.Sc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112041221.fB4CLDM01931>