From owner-freebsd-questions@freebsd.org Mon May 24 21:29:38 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 726C763D258 for ; Mon, 24 May 2021 21:29:38 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 4Fpr2T5TXhz3sdn for ; Mon, 24 May 2021 21:29:37 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 36D7C4E6B5; Mon, 24 May 2021 16:29:31 -0500 (CDT) Subject: RESOLVED: pilot error: After upgrade to 13.0-RELEASE ipfw locks the boxes To: Karl Dunn , freebsd-questions@freebsd.org References: <1e9112d7-2b86-568c-86b4-ee44e4cfd6c@illiac.kad-hg.org> From: Valeri Galtsev Message-ID: <3feb9704-02bf-3ba4-de7f-8248e36354e9@kicp.uchicago.edu> Date: Mon, 24 May 2021 16:29:31 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 MIME-Version: 1.0 In-Reply-To: <1e9112d7-2b86-568c-86b4-ee44e4cfd6c@illiac.kad-hg.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Fpr2T5TXhz3sdn X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=uchicago.edu (policy=none); spf=none (mx1.freebsd.org: domain of galtsev@kicp.uchicago.edu has no SPF policy when checking 128.135.20.70) smtp.mailfrom=galtsev@kicp.uchicago.edu X-Spamd-Result: default: False [2.16 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.37)[0.372]; MIME_GOOD(-0.10)[text/plain]; RBL_DBL_DONT_QUERY_IPS(0.00)[128.135.20.70:from]; NEURAL_SPAM_MEDIUM(0.69)[0.689]; SPAMHAUS_ZRD(0.00)[128.135.20.70:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[1.000]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2021 21:29:38 -0000 On 5/24/21 9:54 AM, Karl Dunn wrote: > On 5/23/21 11:36 AM CDT, Valeri Galtsev wrote: > > Dear All, > > as a lazy person, before I start rewriting all my ipfw scripts I decided > to ask somebody?s else wisdom. It is possible that I mi > ssed something I have to do related to ipfw in this particular upgrade: > from 12.2-RELEASE to 13.0-RELEASE > > I have a bunch of boxes that I have rather similar (though not > identical) ipfw scripts on, these were written a while back (arou > nd 8.x-RELEASE), and were just slightly modified on some occasions. None > of previous upgrades 8 ?> 9; 9 ?> 10,.. 11 ?> 12 led to >  any problems as far as ipfw is concerned. I was just rebooting the > machine after kernel upgrade, and after userland upgrade and >  all pkg reinstallation, I was testing things as usually, no problem > with ipfw. > > After this upgrade: to 13.0-RELEASE, ipfw effectively locks any remote > access to the box (except for ping). My first guess was I >  just missed relevant part in release notes (which I must confess I > rarely read carefully), but I don?t find anything special re > lated to ipfw. > > I hope, someone points me too obvious ?pilot error? I made. Before I > start re-creating ipfw scripts, and testing every line in t > hem as did when I was learning it when first started playing with ipfw. > > Thanks in advance for all your answers. > > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > > Valeri: > > A wild and unlikely guess (because ping works and nothing else does): > > Interfaces name(s) have changed, e.g. what was em0 is now em1. > > It might help to post relevant parts (or all) of dmesg, rc.conf and > loader.conf, and the (sanitized) ipfw rules. > > I am on the digest for freebsd-auestions, so I will get your response > quicker if you copy me at kdunn@acm.org. > Thank you, Karl! Once I started collecting information Karl offered to look into, I had to reboot machine(s) with ipfw enabled, and I discovered that all works and ipfw does not lock the machine(s) off. So, I figure my pilot error was: I did not disable ipfw for the duration of all upgrade steps, namely: freebsd-update upgrade -r 13.0-RELEASE freebsd-update install reboot freebsd-update install pkg update pkg upgrade -y -f freebsd-update install and I discovered I'm locked off somewhere before last step (removing unnecessary leftovers of previous system release on new system). All is well on a bunch of systems, - on all systems I upgraded so far. Bottom line: disable ipfw before starting upgrade; enable ipfw after ALL STEPS of upgrade are accomplished. Thanks a lot Karl! Valeri > -- Karl Dunn kdunn@acm.org > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++