Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 4 Apr 2005 20:25:14 -0300
From:      Suporte Matik <asstec@matik.com.br>
To:        freebsd-ipfw@freebsd.org, Martin <bts@iae.nl>
Cc:        Sergei Gnezdov <use-reply-to@gnezdov.net>
Subject:   Re: DHCP with ipfw
Message-ID:  <200504042025.18092.asstec@matik.com.br>
In-Reply-To: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl>
References:  <20050404090719.F2268544E1F@mail2-new.vianetworks.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Monday 04 April 2005 05:06, Martin wrote: 

> ON 5+, you also have to open up the MAC layer FW:
> ipfw add allow mac via xl0
>
Hi
where do you guess this from? Shouldn't make any sense if not loading 
bridge and enabling bridge firewalling first, overall this would 
matter after dhclient asked for IP

> If the DHCP server is slow and did not reply back before the
> dhclient did continue the boot process, you maybe you do have
> to reload the FW rules once your DHCP connection is established.

your dhcpd should not be sooo slow and ignore several retries 

but, may be you check /etc/rc.d/ipfw and tweak it's sub ipfw_precmd() 
and add a check for empty or 0.0.0.0 IP address and not loading ipfw 
then

don't know why this is not default

then or depending on what you want/need you may 
tweak /etc/rc.d/dhclient and running ipfw after getting a lease but 
prevent not rerunning unless your IP address did really changed

> >
> >When my machine boots firewall is initialized before DHCP obtains
> > IP address.  This results in incomplete firewall configuration. 
> > How do I fix this?
> >

you probably have a problem at you dhcpd or your network connection
the timeout is so long you should get the lease always before network 
is starting anything else



> >My /etc/rc.firewall initialized with the following commands:
> >
> >  net=`ifconfig rl0 | grep "inet " | awk '{print $6}'`

you're probably not awking the value you want here


Hans


> >  mask="255.255.255.0"
> >  ip=`ifconfig rl0 | grep "inet " | awk '{print $2}'`





-- 


Infomatik
 http://info.matik.com.br

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504042025.18092.asstec>