Date: Mon, 9 Dec 2024 17:45:14 +0100 From: FreeBSD User <freebsd@walstatt-de.de> To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp> Cc: Juraj Lutter <otis@FreeBSD.org>, Ronald Klop <ronald@FreeBSD.org>, freebsd-current@freebsd.org Subject: Re: (ipfw) Re: HELP! fetch: stuck forever OR error: RPC failed: curl 56 recv failure: Operation timed out Message-ID: <20241209174541.39c286f5@thor.intern.walstatt.dynvpn.de> In-Reply-To: <20241209214314.2443b590d774423a2b97f0a8@dec.sakura.ne.jp> References: <20241206034709.4dd32cc5@thor.intern.walstatt.dynvpn.de> <279848701.11738.1733510402875@localhost> <20241206210947.3ae835e4@thor.intern.walstatt.dynvpn.de> <f8952585-4b68-4cfd-a60f-1ebbd7f2545f@FreeBSD.org> <8E43EAA1-BA3E-4655-ACE1-2E4523E901DE@FreeBSD.org> <20241209214314.2443b590d774423a2b97f0a8@dec.sakura.ne.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Mon, 9 Dec 2024 21:43:14 +0900 Tomoaki AOKI <junchoon@dec.sakura.ne.jp> schrieb: > On Mon, 9 Dec 2024 11:09:14 +0100 > Juraj Lutter <otis@FreeBSD.org> wrote: >=20 > > > On 8 Dec 2024, at 20:30, Ronald Klop <ronald@FreeBSD.org> wrote: > > >=20 > > > Hi, > > >=20 > > > I can reproduce your error. > > >=20 > > > A cronjob which does a scp to another server didn't work anymore. Whe= n I go back to the > > > previous BE it works fine again. Ipfw disable firewall also makes the= scp work. > > >=20 > > > Scp also seems to work fine if I replace the statefull firewall rules= with stateless > > > "pass all from any to any". =20 > >=20 > > Have you tried to allow ICMP in both directions explicitly, in case of = stateful rules? > >=20 > > =E2=80=94 > > Juraj Lutter > > otis@FreeBSD.org =20 >=20 > I think would usually work for clients with some limited services > exposed to outside. IIUC, it basically allow all sessions from inside > and allows limited serivices configured with variables > via /etc/rc.conf[.local]. >=20 > Some notes. > *Last actual changes in /usr/src/libexec/rc/rc.firewall was at > Jul.23, 2020. > https://github.com/freebsd/freebsd-src/commits/main/libexec/rc/rc.fi= rewall > [cgit.freebsd.org seems to be unstable now.] >=20 > *Variable firewall_logif currently does not exist. >=20 > *Don't you need allowing 22/UDP, too, like below? > firewall_myservices=3D"22/tcp 22/udp" >=20 > And if you're creating kernel config from scratch (such as copying from > GENERIC at some point and editing it), it's no longer adviced. > It's not robust for changes in GENERIC. >=20 > Instead, include GENERIC and describe changes you want. >=20 > An example (one of my test kernel config for a bit old stable). >=20 > =3D=3D=3D=3D=3D Start example =3D=3D=3D=3D=3D > =20 > include GENERIC >=20 > ident TEST15 >=20 > nooptions DDB > nooptions GDB=20 > nooptions INVARIANTS > nooptions INVARIANT_SUPPORT > nooptions WITNESS > nooptions WITNESS_SKIPSPIN > nooptions DEADLKRES >=20 > options CAM_IOSCHED_DYNAMIC >=20 > device sg >=20 > =3D=3D=3D=3D=3D End example =3D=3D=3D=3D=3D >=20 >=20 Thank you very much for the advice - but I do this kind of confugration now= since, I guess, 2020 or 2021. consider the host's kernel name to be "THOR", then /etc/src.c= onf has lines KERNCONF=3D THOR KERNCONFDIR=3D /etc/config/amd64/kernel_conf/ and the target's config file "/etc/config/amd64/kernel_conf/THOR" contains include GENERIC include NODEVICE-THOR include "std.nodebug" include ADDON-THOR This concept isn't bullet proof, since I had trouble with the relatively re= cent introduced "std.nodebug". As you mentioned, NODEVICE contains ALL "nooptions" and "nod= evice" and ADDON contains some extra options not contained in GENERIC. GENERIC is a symbolic= link to the original GENERIC in the appropriate sys folder. Thanks to FReeBSD's sophisticated kernel configuration, this hierarchical s= cheme prevents most accidents triggered by significant GENERIC changes. Do you suspect a misconfiguration due to uncaught changes in GENERIC?=20 --=20 O. Hartmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20241209174541.39c286f5>