From owner-freebsd-questions Tue Dec 4 4:21:22 2001 Delivered-To: freebsd-questions@freebsd.org Received: from router.darlow.co.uk (pc2-bigg2-0-cust101.lut.cable.ntl.com [213.107.35.101]) by hub.freebsd.org (Postfix) with ESMTP id 3161537B416 for ; Tue, 4 Dec 2001 04:21:15 -0800 (PST) Received: from there (IDENT:I+dwdnRS4VaQZ94El0PVOP5fdZprOPbA@ideal.darlow.co.uk [192.168.0.2]) by router.darlow.co.uk (8.11.6/8.11.6) with SMTP id fB4CLDM01931 for ; Tue, 4 Dec 2001 12:21:13 GMT (envelope-from neil@darlow.co.uk) Message-Id: <200112041221.fB4CLDM01931@router.darlow.co.uk> Content-Type: text/plain; charset="iso-8859-15" From: Neil Darlow To: freebsd-questions@freebsd.org Subject: ipfw rules lost Date: Tue, 4 Dec 2001 12:21:12 +0000 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I am running FreeBSD-4.4-RELENG as a cable router/firewall using ipfw and the simple ruleset. This morning when attempting to login remotely via SSH I was locked out. Attaching a console and examining /var/log/messages showed the following messages: Dec 4 05:38:20 router natd[273]: failed to write packet back (No route to host) Dec 4 05:38:22 router natd[273]: failed to write packet back (No route to host) Dec 4 05:38:22 router dhclient: New IP Address(rl0): 213.107.35.101 Dec 4 05:38:22 router dhclient: New Subnet Mask (rl0): 255.255.255.0 Dec 4 05:38:22 router dhclient: New Broadcast Address(rl0): 255.255.255.255 Dec 4 05:38:22 router dhclient: New Routers: 213.107.35.254 Dec 4 05:51:12 router ntpd[299]: sendto(130.159.196.118): Permission denied Dec 4 07:38:22 router dhclient: send_packet: Permission denied I use the simple ruleset of /etc/rc.firewall with overridden interface arguments provided by a dhclient-exit-hooks script. The override file had been updated at 05:38:22 and it's contents were as follows: # Sourced by /etc/rc.firewall (simple) oif=rl0 onet=213.107.35.0 omask=255.255.255.0 oip=213.107.35.101 Moving on, I decided to list the current contents of the ipfw ruleset and was surprised to see the following: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65535 deny ip from any to any This looks like the closed ruleset in /etc/rc.firewall. So for some reason the simple ruleset had been replaced by the closed ruleset. My dhclient-exit-hooks script contains the following logic to update the ipfw rules: create_new_network() { local new_ip_address new_subnet_mask unset new_network while [ "${new_subnet_mask%.0}" != "$new_subnet_mask" ] do new_ip_address=${new_ip_address%.*} new_subnet_mask=${new_subnet_mask%.0} new_network=$new_network.0 done new_network=$new_ip_address$new_network new_network=${new_network#.} new_network=${new_network%.255.255.255.255} } output_new_settings() { echo "# Sourced by /etc/rc.firewall (simple)" > /var/db/dhclient.override echo "oif=$interface" >> /var/db/dhclient.override echo "onet=$new_network" >> /var/db/dhclient.override echo "omask=$new_subnet_mask" >> /var/db/dhclient.override echo "oip=$new_ip_address" >> /var/db/dhclient.override } case "$reason" in BOUND|REBOOT) create_new_network output_new_settings . /etc/rc.firewall ;; REBIND|RENEW) if [ "$new_ip_address" != "$old_ip_address" -o \ "$new_subnet_mask" != "$old_subnet_mask" ] then create_new_network output_new_settings . /etc/rc.firewall fi ;; *) esac This scheme has been working ok until today and I have tested it across IP address changes. Can anyone suggest where I might be going wrong or what might have caused this unexpected failure? Regards, Neil Darlow M.Sc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message