From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 4 23:25:47 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70A1716A4CE for ; Mon, 4 Apr 2005 23:25:47 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 633CC43D49 for ; Mon, 4 Apr 2005 23:25:46 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j34NSdFr048497; Mon, 4 Apr 2005 20:28:39 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org, Martin Date: Mon, 4 Apr 2005 20:25:14 -0300 User-Agent: KMail/1.7.2 References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> In-Reply-To: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504042025.18092.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/777/Mon Mar 21 04:41:55 2005 clamav-milter version 0.80j on msrv.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-102.2 required=5.0 tests=ALL_TRUSTED,ISO_7BITS, NO_RDNS2,TW_PF,USER_IN_WHITELIST autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on msrv.matik.com.br X-Filter-Version: 1.11a (msrv.matik.com.br) cc: "sergei@gnezdov.net" cc: Sergei Gnezdov Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 23:25:47 -0000 On Monday 04 April 2005 05:06, Martin wrote: > ON 5+, you also have to open up the MAC layer FW: > ipfw add allow mac via xl0 > Hi where do you guess this from? Shouldn't make any sense if not loading bridge and enabling bridge firewalling first, overall this would matter after dhclient asked for IP > If the DHCP server is slow and did not reply back before the > dhclient did continue the boot process, you maybe you do have > to reload the FW rules once your DHCP connection is established. your dhcpd should not be sooo slow and ignore several retries but, may be you check /etc/rc.d/ipfw and tweak it's sub ipfw_precmd() and add a check for empty or 0.0.0.0 IP address and not loading ipfw then don't know why this is not default then or depending on what you want/need you may tweak /etc/rc.d/dhclient and running ipfw after getting a lease but prevent not rerunning unless your IP address did really changed > > > >When my machine boots firewall is initialized before DHCP obtains > > IP address. This results in incomplete firewall configuration. > > How do I fix this? > > you probably have a problem at you dhcpd or your network connection the timeout is so long you should get the lease always before network is starting anything else > >My /etc/rc.firewall initialized with the following commands: > > > > net=`ifconfig rl0 | grep "inet " | awk '{print $6}'` you're probably not awking the value you want here Hans > > mask="255.255.255.0" > > ip=`ifconfig rl0 | grep "inet " | awk '{print $2}'` -- Infomatik http://info.matik.com.br