Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Aug 2004 08:59:19 -0700 (PDT)
From:      David Wolfskill <david@catwhisker.org>
To:        current@freebsd.org
Subject:   Re: RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS
Message-ID:  <200408191559.i7JFxJKo018279@bunrab.catwhisker.org>
In-Reply-To: <20040819154334.GA23926@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
>Date: Thu, 19 Aug 2004 11:43:34 -0400
>From: Barney Wolff <barney@databus.com>
>To: current@freebsd.org
>Subject: Re: RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS
>Sender: owner-freebsd-current@freebsd.org

>I was inspired by the PFIL_HOOKS discussion to check my firewall rules :)

Checking firewall rules is a Good Thing.  :-)

>There were none, other than 65535.  Apparently, /etc/rc.d/ipfw attempts
>to kldload ipfw, which will fail if ipfw is compiled into the kernel,
>and since the precmd failed, the _cmd will not be run.  When did it
>become mandatory to have ipfw as a module, not compiled in?  Is there
>some rationale for this?  It strikes me as rather dangerous, especially
>for firewalls, especially when default-to-accept is chosen.  Am I just
>confused, and missing some obvious bit of config?

Well, color me confused, then:

g1-15(5.2-C)[1] uname -a
FreeBSD g1-15.catwhisker.org 5.2-CURRENT FreeBSD 5.2-CURRENT #273: Wed Aug 18 15:55:18 PDT 2004     root@g1-15.catwhisker.org:/common/S2/obj/usr/src/sys/LAPTOP_30W  i386
g1-15(5.2-C)[2] sudo ipfw list
Password:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
....
03200 deny log ip from any to any
65535 deny ip from any to any
g1-15(5.2-C)[3] kldstat
Id Refs Address    Size     Name
 1    7 0xc0400000 4b9ac4   kernel
 2   14 0xc08ba000 536b0    acpi.ko
 3    1 0xc1829000 17000    linux.ko
g1-15(5.2-C)[4] 

Or am I missing your point?

>Is it relevant that my /usr is on vinum, and the rules are in /usr/local/etc?

Hmm... dunno.  I'm not using vinum, and my rules are created via a shell
script from a template on /etc (via dhcp-exit-hooks).

Peace,
david
-- 
David H. Wolfskill				david@catwhisker.org
Evidence of curmudgeonliness:  becoming irritated with the usage of the
word "speed" in contexts referring to quantification of network
performance, as opposed to "bandwidth" or "latency."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408191559.i7JFxJKo018279>