Date: Sat, 6 Jul 2002 11:07:51 +0100 From: Neil Darlow <neil@darlow.co.uk> To: freebsd-questions@freebsd.org Subject: Intermittent loss of ipfw ruleset Message-ID: <200207061007.g66A7qYe075528@router.darlow.co.uk>
next in thread | raw e-mail | index | archive | help
Hi, I am running a 4.6-RELENG gateway using ipfw and natd. Intermittently, I lose my ipfw ruleset and am just left with the default rule: 65535 deny ip from any to any. I use isc-dhcp3 (from ports) to maintain my DHCP assigned interface although I have experienced the same problem with dhclient from base. The ruleset breakage always seems to occur after some sort of DHCP update. The most recent was following a BOUND condition. I am using the "simple" rc.firewall ruleset, with modifications, and use some logic within that ruleset and /usr/local/etc/dhclient-exit-hooks to dynamically update the network parameters. I've included a snippet from rc.firewall, my dhclient-exit-hooks and the parameter overrides generated at the last failure. Can anyone suggest what's happening here. I don't know whether my logic is subject to some peculiar race conditions or whether it's fundamentally flawed. Any suggestions greatfully received. Regards, Neil Darlow M.Sc. << rc.firewall - simple snippet >> # set these to your outside interface network and netmask and ip oif="rl0" onet="192.0.2.0" omask="255.255.255.240" oip="192.0.2.1" test -f /var/db/dhclient.override && . /var/db/dhclient.override # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" << end rc.firewall - simple snippet >> # $Id: dhclient-exit-hooks,v 1.1 2001/05/17 11:42:31 neil Exp $ create_new_network() { local new_ip_address new_subnet_mask unset new_network while [ "${new_subnet_mask%.0}" != "$new_subnet_mask" ] do new_ip_address=${new_ip_address%.*} new_subnet_mask=${new_subnet_mask%.0} new_network=$new_network.0 done new_network=$new_ip_address$new_network new_network=${new_network#.} new_network=${new_network%.255.255.255.255} } output_new_settings() { echo "# Sourced by /etc/rc.firewall (simple)" > /var/db/dhclient.override echo "# Update reason: $reason" >> /var/db/dhclient.override echo "oif=$interface" >> /var/db/dhclient.override echo "onet=$new_network" >> /var/db/dhclient.override echo "omask=$new_subnet_mask" >> /var/db/dhclient.override echo "oip=$new_ip_address" >> /var/db/dhclient.override } case "$reason" in BOUND|REBOOT) create_new_network output_new_settings . /etc/rc.firewall simple ;; REBIND|RENEW) if [ "$new_ip_address" != "$old_ip_address" -o \ "$new_subnet_mask" != "$old_subnet_mask" ] then create_new_network output_new_settings . /etc/rc.firewall simple fi ;; *) esac << /var/db/dhclient.override >> # Sourced by /etc/rc.firewall (simple) # Update reason: BOUND oif=rl0 onet=213.107.35.0 omask=255.255.255.0 oip=213.107.35.101 << end of /var/db/dhclient.override>> -- Preserve Freedom of Choice || Say No to TCPA || Say No to Palladium ICQ: 135505456 E-Mail, Jabber, MSNM: neil at darlow dot co dot uk GnuPG Fingerprint: 359D B8FF 6273 6C32 BEAA 43F9 E579 E24A 531F 9048 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207061007.g66A7qYe075528>