From owner-freebsd-stable  Sun Jun  7 12:54:54 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA26459
          for freebsd-stable-outgoing; Sun, 7 Jun 1998 12:54:54 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from pn.wagsky.com (wagsky.vip.best.com [206.86.71.127])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA26440
          for <freebsd-stable@FreeBSD.ORG>; Sun, 7 Jun 1998 12:54:36 -0700 (PDT)
          (envelope-from Jeff@Wagsky.com)
Received: from [192.168.6.3] (mac.pn.wagsky.com [192.168.6.3])
	by pn.wagsky.com (8.8.8/8.8.8) with ESMTP id MAA00214
	for <freebsd-stable@FreeBSD.ORG>; Sun, 7 Jun 1998 12:54:33 -0700 (PDT)
	(envelope-from Jeff@Wagsky.com)
X-Sender: wagsky@shell9.ba.best.com
Message-Id: <l03110701b1a09d2cd1b9@[192.168.6.3]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 7 Jun 1998 12:54:29 -0700
To: freebsd-stable@FreeBSD.ORG
From: Jeff Kletsky <Jeff@Wagsky.com>
Subject: rc.firewall and ipfw commands
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

After building from 2.2.6-STABLE I came across a bit of a puzzle with the
apparent loss of DNS and a lot of other services on my machine.  The
"problem" is that the rule numbers for the hard-wired rules in rc.firewall
have been changed:

$fwcmd add 100 pass all from any to any via lo0
$fwcmd add 200 deny all from any to 127.0.0.0/8

Now, if you are using the supplied named firewall options, you're ok.  If
you are using a file containing commands, or other utilities which modify
the firewall, you could be in trouble (I happen to use the
previously-unused rule 100 to monitor what's bringing up dial-on-demand
ppp, so it is routinely deleted and added as the link changes state).

Short-term fix:
---------------
Leave the rules in place so the named firewall types work.
Change rc.firewall to read:

	$fwcmd -f flush			# because "-f flush" fails in a file*
	$fwcmd ${firewall_type}


Long-term fix:
--------------

Convince the powers that be to only add the "standard" rules for the named
firewall types.



Jeff

* Including "-f flush" as the first line of the file causes the next ipfw
command in the sequence to abort execution...



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message