From owner-freebsd-current@FreeBSD.ORG Wed Aug 25 22:22:58 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7683C16A4CE for ; Wed, 25 Aug 2004 22:22:58 +0000 (GMT) Received: from raadradd.homeunix.org (bwl210.neoplus.adsl.tpnet.pl [83.29.235.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE6A343D49 for ; Wed, 25 Aug 2004 22:22:57 +0000 (GMT) (envelope-from radek@raadradd.com) Received: by raadradd.homeunix.org (Postfix, from userid 1001) id B1C84A52F; Thu, 26 Aug 2004 00:23:04 +0200 (CEST) Date: Thu, 26 Aug 2004 00:23:04 +0200 From: Radek Kozlowski To: current@freebsd.org Message-ID: <20040825222304.GH34849@werd> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Problems with IPFW and 5.3-BETA1 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 22:22:58 -0000 I upgraded a remote dedicated server from 5.1 to 5.3-BETA1 today with a step by step procedure described in /usr/src/Makefile and everything went ok. Well, almost. I compiled the kernel (took the GENERIC conf from 5.3, so options PFIL_HOOKS is already there) with: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 put firewall_enable="YES", firewall_type="open" in rc.conf, rebooted and locked myself out (world and kernel are in sync, before someone asks). After I could access the box again I tried to see what was wrong: root@wesside:~# ipfw show 00100 0 0 allow ip from any to any 65535 0 0 deny ip from any to any root@wesside:~# ping yahoo.com PING yahoo.com (66.94.231.98): 56 data bytes 64 bytes from 66.94.231.98: icmp_seq=0 ttl=58 time=3.324 ms 64 bytes from 66.94.231.98: icmp_seq=1 ttl=54 time=5.138 ms 64 bytes from 66.94.231.98: icmp_seq=2 ttl=58 time=3.671 ms ^C --- yahoo.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.324/4.044/5.138/0.786 ms root@wesside:~# ipfw show 00100 0 0 allow ip from any to any 65535 0 0 deny ip from any to any Why aren't the packet and byte counters increased? Since the firewall was totally unresponsive to any rulset changes I removed above options from the kernel and decided to try the module instead. With firewall_type="open" left in rc.conf (but firewall_enable changed to "NO") I executed `kldload /boot/kernel/ipfw.ko && sh /etc/rc.firewall ; sleep 100 ; kldunload ipfw ; sleep 200 ; reboot` and locked myself out again. I don't know what really happend and am still waiting for the reply from the support team of the hosting company, but is it me or there's something wrong with ipfw? Anyone else seeing this? I'd appreciate any pointers. -Radek