Date: Wed, 26 Sep 2001 19:15:08 -0700 From: Parker Brown <phbrown@charter.net> To: David Kelly <dkelly@hiwaay.net> Cc: Edwin Groothuis <edwin@mavetju.org>, BSDQuestions <freebsd-questions@FreeBSD.ORG> Subject: Re: dhclient: send_packet: Permission Denied Message-ID: <3BB28BAC.84AD1E00@charter.net> References: <200109270100.f8R10ow26641@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------ADB79F89B76803DB95963A30
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
No, I set it to 4, and the /dev/bp*'s are there, too. I don't know whether
you've seen my dmesg output, so I will include it here. Right after filesystem
checkout, it says "unknown keyword (ipfw)" so it ignored the following two
statements (one within rc.firewall (there's also a firewall6 since I selected
ipv6) and these statements constitute /etc/ip.rules):
ipfw add allow udp from any to any 67 out
ipfw add allow udp from www.xxx.yyy.zzz to any 68 in
...where www.*... is my ISP's dhcp server's bang address
Thanks.
Pb
David Kelly wrote:
> Parker Brown writes:
> > OK, reread what you were asking. ipfw -a l gives about three screens of
> > firewall statements (allow this, deny that) and ends with deny all (?). I
> > grepped for udp and it looks like the firewall statements I added to
> > rc.firewall are not being honored. I also created /etc/ip.rules and put
> > those two statements in there, too, exactly as in rc.firewall (because
> > /etc/defaults/rc.conf made reference to that file).
> >
> > Any ideas?
>
> I tuned in this thread late.
>
> By any chance have you removed bpf from your kernel config? dhclient
> needs it. Found out the hard way so I annotated my kernel config so that
> I don't forget, again.
>
> # The `bpf' pseudo-device enables the Berkeley Packet Filter.
> # Be aware of the administrative consequences of enabling this!
> # required for dhclient DHCP (dmk 10/16/2000)
> pseudo-device bpf #Berkeley packet filter
>
> --
> David Kelly N4HHE, dkelly@hiwaay.net
> =====================================================================
> The human mind ordinarily operates at only ten percent of its
> capacity -- the rest is overhead for the operating system.
--------------ADB79F89B76803DB95963A30
Content-Type: text/plain; charset=us-ascii;
name="dmesg-a"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="dmesg-a"
Copyright (c) 1992-2001 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.3-RELEASE #27: Sat Sep 22 14:34:35 PDT 2001
pb@V719X8.CharterPipeline.com:/usr/src/sys/compile/PBKERNEL
Timecounter "i8254" frequency 1193182 Hz
CPU: Pentium II/Pentium II Xeon/Celeron (300.01-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x634 Stepping = 4
Features=0x80f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX>
real memory = 201326592 (196608K bytes)
avail memory = 192892928 (188372K bytes)
Preloaded elf kernel "kernel" at 0xc02fc000.
Pentium Pro MTRR support enabled
md0: Malloc disk
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Intel 82443LX (440 LX) host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
pcib1: <Intel 82443LX (440 LX) PCI-PCI (AGP) bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <NVidia/SGS-Thomson Riva128 graphics accelerator> at 0.0 irq 9
isab0: <Intel 82371AB PCI to ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
pci0: <Intel PIIX4 ATA controller> at 7.1
pci0: <Intel 82371AB/EB (PIIX4) USB controller> at 7.2 irq 11
chip1: <Intel 82371AB Power management controller> port 0x7000-0x700f at device 7.3 on pci0
ahc0: <Adaptec 2940 Ultra SCSI adapter> port 0xf800-0xf8ff mem 0xfedff000-0xfedfffff irq 9 at device 14.0 on pci0
aic7880: Wide Channel A, SCSI Id=7, 16/255 SCBs
dc0: <ADMtek AN985 10/100BaseTX> port 0xf400-0xf4ff mem 0xfedfec00-0xfedfefff irq 10 at device 15.0 on pci0
dc0: chip is in D3 power mode -- setting to D0
dc0: Ethernet address: 00:04:5a:4a:7e:34
miibus0: <MII bus> on dc0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pci0: <unknown card> (vendor=0x12eb, dev=0x0001) at 16.0 irq 11
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model IntelliMouse, device ID 3
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
(ahc0:A:5:0): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:0): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:0): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:1): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:1): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:1): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:2): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:2): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:2): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:3): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:3): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:3): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:4): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:4): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:4): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:5): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:5): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:5): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:6): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:6): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:6): refuses synchronous negotiation. Using asynchronous transfers
(ahc0:A:5:7): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:7): refuses WIDE negotiation. Using 8bit transfers
(ahc0:A:6:7): refuses synchronous negotiation. Using asynchronous transfers
Mounting root from ufs:/dev/da0s3a
cd0 at ahc0 bus 0 target 5 lun 0
cd0: <NEC CD-ROM DRIVE:465 1.03> Removable CD-ROM SCSI-2 device
cd0: 10.000MB/s transfers (10.000MHz, offset 15)
cd0: Attempt to query device size failed: NOT READY, Medium not present
da1 at ahc0 bus 0 target 6 lun 0
da1: <IOMEGA ZIP 100 J.02> Removable Direct Access SCSI-2 device
da1: 3.300MB/s transfers
da1: Attempt to query device size failed: NOT READY, Medium not present
da0 at ahc0 bus 0 target 0 lun 0
da0: <WDIGTL WDE4360-1807A3 1.80> Fixed Direct Access SCSI-2 device
da0: 20.000MB/s transfers (10.000MHz, offset 8, 16bit)
da0: 4095MB (8388314 512 byte sectors: 255H 63S/T 522C)
swapon: adding /dev/da0s3b as swap device
Automatic boot in progress...
/dev/da0s3a:
FILESYSTEM CLEAN; SKIPPING CHECKS
/dev/da0s3a:
clean, 65005 free
(293 frags, 8089 blocks, 0.3% fragmentation)
/dev/da0s3f:
FILESYSTEM CLEAN; SKIPPING CHECKS
/dev/da0s3f:
clean, 550193 free
(72393 frags, 59725 blocks, 5.5% fragmentation)
/dev/da0s3e:
FILESYSTEM CLEAN; SKIPPING CHECKS
/dev/da0s3e:
clean, 18843 free
(131 frags, 2339 blocks, 0.7% fragmentation)
Doing initial network setup:
hostname
ipfilter
open device: Device not configured
ioctl(SIOCIPFFL): Bad file descriptor
open device: Device not configured
1: unknown keyword (ipfw)
2: unknown keyword (ipfw)
open device: Device not configured
SIOCFRENB: Bad file descriptor
.
dhclient: New IP Address(dc0): 63.151.74.117
dhclient: New Subnet Mask (dc0): 255.255.255.0
dhclient: New Broadcast Address(dc0): 255.255.255.255
dhclient: New Routers: 63.151.74.1
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::204:5aff:fe4a:7e34%dc0 prefixlen 64 scopeid 0x1
inet 63.151.74.117 netmask 0xffffff00 broadcast 255.255.255.255
ether 00:04:5a:4a:7e:34
media: autoselect (100baseTX <full-duplex>) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP none
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled
Kernel firewall module loaded
Flushed all rules.
ip_fw_ctl: invalid command
ipfw:
getsockopt(IP_FW_ADD)
:
Invalid argument
00100
allow
ip
from
any
to
any
via lo0
00200
deny
ip
from
any
to
127.0.0.0
/8
01000
allow
ip
from
10.10.10.0
/24
to
10.10.10.0
/24
01100
allow
ip
from
10.10.10.0
/24
to
255.255.255.255
via dc0
02000
deny
log
ip
from
10.10.10.0
/24
to
any
in
recv dc0
02100
deny
log
ip
from
255.255.0.0
/16
to
any
in
recv dc0
02200
deny
log
ip
from
172.16.0.0
/12
to
any
via dc0
02300
deny
log
ip
from
any
to
172.16.0.0
/12
in
recv dc0
02400
deny
log
ip
from
192.168.0.0
/16
to
any
via dc0
02500
deny
log
ip
from
any
to
192.168.0.0
/16
in
recv dc0
03000
deny
log
ip
from
0.0.0.0
/8
to
any
via dc0
03100
deny
log
ip
from
any
to
0.0.0.0
/8
in
recv dc0
03200
deny
log
ip
from
169.254.0.0
/16
to
any
via dc0
03300
deny
log
ip
from
any
to
169.254.0.0
/16
in
recv dc0
03400
deny
log
ip
from
192.0.2.0
/24
to
any
via dc0
03500
deny
log
ip
from
any
to
192.0.2.0
/24
in
recv dc0
03600
deny
log
ip
from
224.0.0.0
/4
to
any
via dc0
03700
deny
log
ip
from
any
to
224.0.0.0
/4
in
recv dc0
03800
deny
log
ip
from
240.0.0.0
/4
to
any
via dc0
03900
deny
log
ip
from
any
to
240.0.0.0
/4
in
recv dc0
05000
allow
tcp
from
any
to
any
established
05100
allow
ip
from
any
to
any
frag
05200
allow
tcp
from
any
to
63.151.74.117
25
setup
05300
allow
tcp
from
any
20
to
any
06000
allow
tcp
from
any
to
63.151.64.83
53
setup
06100
allow
udp
from
any
to
63.151.64.83
53
06200
allow
udp
from
63.151.64.83
53
to
any
06300
allow
tcp
from
any
to
63.151.64.18
53
setup
06400
allow
udp
from
any
to
63.151.64.18
53
06500
allow
udp
from
63.151.64.18
53
to
any
06600
allow
tcp
from
any
to
63.151.74.117
80
setup
06700
allow
tcp
from
24.213.60.74
110
to
any
07000
allow
log
tcp
from
any
to
any
6699
in
recv dc0
07100
allow
log
tcp
from
any
to
any
5555
in
recv dc0
07200
allow
log
tcp
from
any
to
any
7777
in
recv dc0
07300
allow
log
tcp
from
any
to
any
8888
in
recv dc0
08000
deny
log
tcp
from
any
to
any
in
recv dc0
setup
08100
allow
tcp
from
any
to
any
setup
08200
allow
udp
from
any
123
to
63.151.74.117
08300
allow
udp
from
63.151.74.117
to
any
123
08400
allow
udp
from
any
to
any
33434
-33523
out
xmit dc0
10000
allow
icmp
from
any
to
any
via dc0
10100
allow
icmp
from
any
to
any
out
xmit dc0
icmptype
8
10200
allow
icmp
from
any
to
any
in
recv dc0
icmptype
0
10300
allow
icmp
from
any
to
any
via dc0
icmptype
3
,4
,11
,12
10400
deny
log
icmp
from
any
to
any
60000
deny
log
ip
from
any
to
0.0.0.255
:
0.0.0.255
in
recv dc0
61000
deny
log
udp
from
any
to
any
137
-139
via dc0
61100
allow
udp
from
10.10.10.0
/24
to
10.10.10.0
/24
137
-139
via dc0
61200
deny
log
udp
from
any
to
any
137
-139
via dc0
62000
deny
log
ip
from
10.0.0.0
/8
to
any
via dc0
62100
deny
log
ip
from
any
to
10.0.0.0
/8
via dc0
65000
deny
log
ip
from
any
to
any
via dc0
65100
allow
log
ip
from
any
to
any
Firewall rules loaded, starting divert daemons:
natd
.
route:
writing to routing socket
:
File exists
add net default: gateway 63.151.174.1: File exists
Additional routing options:
tcp extensions=NO
IP gateway=YES
TCP keepalive=YES
.
Routing daemons:
.
Doing IPv6 network setup:
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
net.inet6.ip6.forwarding:
0
->
0
net.inet6.ip6.accept_rtadv:
0
->
0
net.inet6.ip6.accept_rtadv:
0
->
1
add net fe80::: gateway ::1
add net ff02::: gateway fe80::204:5aff:fe4a:7e34%dc0
ND default interface = dc0
IPv4 mapped IPv6 address support=YES
.
Additional daemons:
syslogd
.
Doing additional network setup:
portmap
.
Starting final network daemons:
.
ELF ldconfig path: /usr/lib /usr/lib/compat /usr/X11R6/lib /usr/local/lib
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout /usr/X11R6/lib/aout
Starting standard daemons:
inetd
cron
sendmail
sshd
.
Initial rc.i386 initialization:
.
Configuring syscons:
blank_time
moused
.
Additional ABI support:
linux
.
Local package initialization:
.
Additional TCP options:
log_in_vain=YES
.
Wed Sep 26 13:49:58 PDT 2001
Sep 26 13:50:03 V719X8 login: ROOT LOGIN (root) ON ttyv0
Sep 26 13:54:36 V719X8 dhclient: send_packet: Permission denied
Sep 26 13:55:11 V719X8 last message repeated 4 times
Sep 26 13:57:14 V719X8 last message repeated 7 times
--------------ADB79F89B76803DB95963A30--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BB28BAC.84AD1E00>