From owner-freebsd-bugs@FreeBSD.ORG  Thu Dec  2 10:37:54 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 802BA16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Thu,  2 Dec 2004 10:37:54 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E9C543D49
	for <freebsd-bugs@hub.freebsd.org>;
	Thu,  2 Dec 2004 10:37:54 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iB2Abs9I046807
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 2 Dec 2004 10:37:54 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iB2AbscU046806;
	Thu, 2 Dec 2004 10:37:54 GMT
	(envelope-from gnats)
Resent-Date: Thu, 2 Dec 2004 10:37:54 GMT
Resent-Message-Id: <200412021037.iB2AbscU046806@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Ceri Davies <ceri@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B46C116A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  2 Dec 2004 10:36:34 +0000 (GMT)
Received: from shrike.submonkey.net (cpc2-cdif3-6-0-cust204.cdif.cable.ntl.com
	[81.103.67.204])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5800343D2D
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  2 Dec 2004 10:36:34 +0000 (GMT)
	(envelope-from root@submonkey.net)
Received: from root by shrike.submonkey.net with local (Exim 4.43 (FreeBSD))
	id 1CZoLu-0002zC-3S
	for FreeBSD-gnats-submit@freebsd.org; Thu, 02 Dec 2004 10:38:22 +0000
Message-Id: <E1CZoLu-0002zC-3S@shrike.submonkey.net>
Date: Thu, 02 Dec 2004 10:38:22 +0000
From: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: conf/74610: Hostname resolution failure causes firewall rules to
	stop loading
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Ceri Davies <ceri@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2004 10:37:54 -0000


>Number:         74610
>Category:       conf
>Synopsis:       Hostname resolution failure causes firewall rules to stop loading
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 02 10:37:54 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Ceri Davies
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD shrike.private.submonkey.net 4.10-STABLE FreeBSD 4.10-STABLE #51: Wed Dec 1 23:31:06 GMT 2004 root@shrike.private.submonkey.net:/usr/obj/usr/src/sys/SHRIKE i386


	
>Description:

	After upgrading to the above version from a 75 day old 4.10-STABLE,
	one of the hostnames in my firewall rules failed to resolve on
	bootup for some reason (probably because named isn't running at
	that point but I'll worry about that elsewhere).  This resolution
	failure meant that the rest of my rules were not loaded.  From dmesg:

	Flushed all rules.
	01000 allow ip from any to any via lo0
	02000 deny ip from any to 127.0.0.0/8
	03000 deny ip from 127.0.0.0/8 to any
	01050 deny ip from any to any frag
	01200 deny tcp from any to any dst-port 135-137 via fxp0
	01210 deny udp from any to any dst-port 135-137 via fxp0
	01220 pipe 1 tcp from any to any dst-port 2234
	01230 allow ip from any to any via fxp0
	02010 deny udp from 10.133.151.254 to me dst-port 68
	02040 deny log logamount 100 ip from any to 10.0.0.0/8
	02050 deny log logamount 100 ip from any to 172.16.0.0/12
	02060 deny log logamount 10 ip from 172.16.0.0/12 to any
	02070 deny log logamount 100 ip from 10.0.0.0/8 to any
	02080 divert 8668 ip from any to any via vr0
	02090 allow ip from 192.168.10.0/24 to any via vr0
	02100 allow ip from any to 192.168.10.0/24 via vr0
	02110 deny log logamount 100 ip from any to 192.168.0.0/16 via vr0
	02120 deny log logamount 100 ip from 192.168.0.0/16 to any via vr0
	04000 check-state
	04010 allow tcp from any to any out keep-state
	04020 allow udp from any to any dst-port 53 keep-state
	04030 allow udp from any to any out
	Line 44:
	hostname ``bear.zoo.bt.co.uk'' unknown

	Firewall rules loaded, starting divert daemons:
	 natd

	All rules following line 44 (of which there are many) were not loaded.

>How-To-Repeat:

	Add a firewall rule for a hostname that doesn't resolve.  Reboot.
	
>Fix:

	Attempt to load all of the rules, even if one fails.

>Release-Note:
>Audit-Trail:
>Unformatted: