From owner-freebsd-current@FreeBSD.ORG Thu Aug 26 10:28:36 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB8BD16A4CE for ; Thu, 26 Aug 2004 10:28:36 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2834C43D5E for ; Thu, 26 Aug 2004 10:28:36 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 48188 invoked from network); 26 Aug 2004 10:27:26 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 26 Aug 2004 10:27:26 -0000 Message-ID: <412DBB52.8030401@freebsd.org> Date: Thu, 26 Aug 2004 12:28:34 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a1) Gecko/20040520 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Radek Kozlowski References: <20040825222304.GH34849@werd> In-Reply-To: <20040825222304.GH34849@werd> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: current@freebsd.org Subject: Re: Problems with IPFW and 5.3-BETA1 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 10:28:37 -0000 Radek Kozlowski wrote: > I upgraded a remote dedicated server from 5.1 to 5.3-BETA1 today with a > step by step procedure described in /usr/src/Makefile and everything > went ok. Well, almost. I compiled the kernel (took the GENERIC conf > from 5.3, so options PFIL_HOOKS is already there) with: > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > > put firewall_enable="YES", firewall_type="open" in rc.conf, rebooted and > locked myself out (world and kernel are in sync, before someone asks). > After I could access the box again I tried to see what was wrong: > > root@wesside:~# ipfw show > 00100 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > root@wesside:~# ping yahoo.com > PING yahoo.com (66.94.231.98): 56 data bytes > 64 bytes from 66.94.231.98: icmp_seq=0 ttl=58 time=3.324 ms > 64 bytes from 66.94.231.98: icmp_seq=1 ttl=54 time=5.138 ms > 64 bytes from 66.94.231.98: icmp_seq=2 ttl=58 time=3.671 ms > ^C > --- yahoo.com ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 3.324/4.044/5.138/0.786 ms > root@wesside:~# ipfw show > 00100 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > > Why aren't the packet and byte counters increased? > > Since the firewall was totally unresponsive to any rulset changes I > removed above options from the kernel and decided to try the module > instead. With firewall_type="open" left in rc.conf (but firewall_enable > changed to "NO") I executed > `kldload /boot/kernel/ipfw.ko && sh /etc/rc.firewall ; sleep 100 ; > kldunload ipfw ; sleep 200 ; reboot` and locked myself out again. I > don't know what really happend and am still waiting for the reply from > the support team of the hosting company, but is it me or there's > something wrong with ipfw? Anyone else seeing this? There is no known problem with ipfw. I can only speculate but it might be that your /sbin/ipfw is out of sync with the kernel despite a make world. Other than that could provide the output of 'ifconfig -a'? -- Andre