From owner-freebsd-questions Sat Jul 6 3: 8: 1 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CEF037B400 for ; Sat, 6 Jul 2002 03:07:56 -0700 (PDT) Received: from router.darlow.co.uk (pc2-bigg2-0-cust101.ltn.cable.ntl.com [213.107.35.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02B8B43E09 for ; Sat, 6 Jul 2002 03:07:55 -0700 (PDT) (envelope-from neil@darlow.co.uk) Received: from there (IDENT:1000@ideal.darlow.co.uk [192.168.0.2]) by router.darlow.co.uk (8.12.3/8.12.3) with SMTP id g66A7qYe075528 for ; Sat, 6 Jul 2002 11:07:53 +0100 (BST) (envelope-from neil@darlow.co.uk) Message-Id: <200207061007.g66A7qYe075528@router.darlow.co.uk> Content-Type: text/plain; charset="iso-8859-1" From: Neil Darlow To: freebsd-questions@freebsd.org Subject: Intermittent loss of ipfw ruleset Date: Sat, 6 Jul 2002 11:07:51 +0100 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I am running a 4.6-RELENG gateway using ipfw and natd. Intermittently, I lose my ipfw ruleset and am just left with the default rule: 65535 deny ip from any to any. I use isc-dhcp3 (from ports) to maintain my DHCP assigned interface although I have experienced the same problem with dhclient from base. The ruleset breakage always seems to occur after some sort of DHCP update. The most recent was following a BOUND condition. I am using the "simple" rc.firewall ruleset, with modifications, and use some logic within that ruleset and /usr/local/etc/dhclient-exit-hooks to dynamically update the network parameters. I've included a snippet from rc.firewall, my dhclient-exit-hooks and the parameter overrides generated at the last failure. Can anyone suggest what's happening here. I don't know whether my logic is subject to some peculiar race conditions or whether it's fundamentally flawed. Any suggestions greatfully received. Regards, Neil Darlow M.Sc. << rc.firewall - simple snippet >> # set these to your outside interface network and netmask and ip oif="rl0" onet="192.0.2.0" omask="255.255.255.240" oip="192.0.2.1" test -f /var/db/dhclient.override && . /var/db/dhclient.override # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" << end rc.firewall - simple snippet >> # $Id: dhclient-exit-hooks,v 1.1 2001/05/17 11:42:31 neil Exp $ create_new_network() { local new_ip_address new_subnet_mask unset new_network while [ "${new_subnet_mask%.0}" != "$new_subnet_mask" ] do new_ip_address=${new_ip_address%.*} new_subnet_mask=${new_subnet_mask%.0} new_network=$new_network.0 done new_network=$new_ip_address$new_network new_network=${new_network#.} new_network=${new_network%.255.255.255.255} } output_new_settings() { echo "# Sourced by /etc/rc.firewall (simple)" > /var/db/dhclient.override echo "# Update reason: $reason" >> /var/db/dhclient.override echo "oif=$interface" >> /var/db/dhclient.override echo "onet=$new_network" >> /var/db/dhclient.override echo "omask=$new_subnet_mask" >> /var/db/dhclient.override echo "oip=$new_ip_address" >> /var/db/dhclient.override } case "$reason" in BOUND|REBOOT) create_new_network output_new_settings . /etc/rc.firewall simple ;; REBIND|RENEW) if [ "$new_ip_address" != "$old_ip_address" -o \ "$new_subnet_mask" != "$old_subnet_mask" ] then create_new_network output_new_settings . /etc/rc.firewall simple fi ;; *) esac << /var/db/dhclient.override >> # Sourced by /etc/rc.firewall (simple) # Update reason: BOUND oif=rl0 onet=213.107.35.0 omask=255.255.255.0 oip=213.107.35.101 << end of /var/db/dhclient.override>> -- Preserve Freedom of Choice || Say No to TCPA || Say No to Palladium ICQ: 135505456 E-Mail, Jabber, MSNM: neil at darlow dot co dot uk GnuPG Fingerprint: 359D B8FF 6273 6C32 BEAA 43F9 E579 E24A 531F 9048 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message