Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 6 Jul 2002 11:07:51 +0100
From:      Neil Darlow <neil@darlow.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Intermittent loss of ipfw ruleset
Message-ID:  <200207061007.g66A7qYe075528@router.darlow.co.uk>
next in thread | raw e-mail | index | archive | help 
Hi,

I am running a 4.6-RELENG gateway using ipfw and natd. Intermittently, I lose 
my ipfw ruleset and am just left with the default rule: 65535 deny ip from 
any to any.

I use isc-dhcp3 (from ports) to maintain my DHCP assigned interface although 
I have experienced the same problem with dhclient from base.

The ruleset breakage always seems to occur after some sort of DHCP update. 
The most recent was following a BOUND condition.

I am using the "simple" rc.firewall ruleset, with modifications, and use some 
logic within that ruleset and /usr/local/etc/dhclient-exit-hooks to 
dynamically update the network parameters.

I've included a snippet from rc.firewall, my dhclient-exit-hooks and the 
parameter overrides generated at the last failure.

Can anyone suggest what's happening here. I don't know whether my logic is 
subject to some peculiar race conditions or whether it's fundamentally 
flawed. Any suggestions greatfully received.

Regards,
Neil Darlow M.Sc.

<< rc.firewall - simple snippet >>
        # set these to your outside interface network and netmask and ip
        oif="rl0"
        onet="192.0.2.0"
        omask="255.255.255.240"
        oip="192.0.2.1"

        test -f /var/db/dhclient.override && . /var/db/dhclient.override

        # set these to your inside interface network and netmask and ip
        iif="rl1"
        inet="192.168.0.0"
        imask="255.255.255.0"
        iip="192.168.0.1"
<< end rc.firewall - simple snippet >>

# $Id: dhclient-exit-hooks,v 1.1 2001/05/17 11:42:31 neil Exp $

create_new_network() {
    local new_ip_address new_subnet_mask
    unset new_network

    while [ "${new_subnet_mask%.0}" != "$new_subnet_mask" ]
    do
        new_ip_address=${new_ip_address%.*}
        new_subnet_mask=${new_subnet_mask%.0}
        new_network=$new_network.0
    done

    new_network=$new_ip_address$new_network
    new_network=${new_network#.}
    new_network=${new_network%.255.255.255.255}
}

output_new_settings() {
    echo "# Sourced by /etc/rc.firewall (simple)" > /var/db/dhclient.override
    echo "# Update reason: $reason" >> /var/db/dhclient.override
    echo "oif=$interface" >> /var/db/dhclient.override
    echo "onet=$new_network" >> /var/db/dhclient.override
    echo "omask=$new_subnet_mask" >> /var/db/dhclient.override
    echo "oip=$new_ip_address" >> /var/db/dhclient.override
}

case "$reason" in
    BOUND|REBOOT)
        create_new_network
        output_new_settings
        . /etc/rc.firewall simple
        ;;
    REBIND|RENEW)
        if [ "$new_ip_address" != "$old_ip_address" -o \
             "$new_subnet_mask" != "$old_subnet_mask" ]
        then
            create_new_network
            output_new_settings
            . /etc/rc.firewall simple
        fi
        ;;
    *)
esac

<< /var/db/dhclient.override >>
# Sourced by /etc/rc.firewall (simple)
# Update reason: BOUND
oif=rl0
onet=213.107.35.0
omask=255.255.255.0
oip=213.107.35.101
<< end of /var/db/dhclient.override>>

-- 
Preserve Freedom of Choice || Say No to TCPA || Say No to Palladium
ICQ: 135505456  E-Mail, Jabber, MSNM: neil at darlow dot co dot uk
GnuPG Fingerprint: 359D B8FF 6273 6C32 BEAA  43F9 E579 E24A 531F 9048

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207061007.g66A7qYe075528>