From owner-freebsd-current@FreeBSD.ORG Wed Feb 21 19:15:52 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4EB4216BFF5; Wed, 21 Feb 2007 19:15:52 +0000 (UTC) (envelope-from SRS0=53d273c2b6bbae5430a5b5ad2b71908453643389=253=es.net=oberman@es.net) Received: from postal2.es.net (postal2.es.net [198.128.3.206]) by mx1.freebsd.org (Postfix) with ESMTP id F297213C467; Wed, 21 Feb 2007 19:15:51 +0000 (UTC) (envelope-from SRS0=53d273c2b6bbae5430a5b5ad2b71908453643389=253=es.net=oberman@es.net) Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by postal2.es.net (Postal Node 2) with ESMTP (SSL) id AVK38551; Wed, 21 Feb 2007 11:15:51 -0800 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 19A9745053; Wed, 21 Feb 2007 11:15:51 -0800 (PST) To: "Scot Hetzel" In-Reply-To: Your message of "Wed, 21 Feb 2007 12:31:05 CST." <790a9fff0702211031r226ba0bdsfab2eab5f4748191@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1172085351_67328P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 21 Feb 2007 11:15:51 -0800 From: "Kevin Oberman" Message-Id: <20070221191551.19A9745053@ptavv.es.net> Cc: current@freebsd.org, Eric Anderson Subject: Re: Unable to use network early in boot with recent -current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Feb 2007 19:15:52 -0000 --==_Exmh_1172085351_67328P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Wed, 21 Feb 2007 12:31:05 -0600 > From: "Scot Hetzel" > > On 2/21/07, Kevin Oberman wrote: > > > Firewall rules? > > > > Please ignore my prior message. I just tried and "ipfw list" shows the > > single default deny rule, "65535 deny ip from any to any". I have no > > idea why this is in effect at this early in the startup process...long > > before the firewall rules are loaded. Guess I will stop loading ipfw at > > boot time and let the startup file load it. > > > That is the default ipfw deny rule when ipfw is loaded, it is used to > protect the system from intrusion by unauthorized persons, until you > have your firewall rules loaded. > > You can add: > > option IPFIREWALL_DEFAULT_TO_ACCEPT > > to your kernel config file, which would open your system to the world > until your firewall rules restrict what other systems can access on > that server. Thanks, Scot. I figured that out. I was confused by the change in behavior until I remembered that I used to load ipfw.ko from the ipfw startup script and, to fix the annoying problem of the wrong version of .ko being loaded when I am running a non-default kernel, I added it to /boot/loader.conf. Now ipfw is running from the moment the system boots. I have worked around this with a modification to profile.sh to insert a rule at the beginning and delete it before exiting. Seems to work. Thanks again to both you and Eric for pointing out my brain dead condition. Any thought of making module loads default to the directory of the booted kernel (e.g. /boot/kernel.old) instead of /boot/kernel? -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1172085351_67328P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFF3Jpnkn3rs5h7N1ERAqfcAJ9U2p4ru35lUjIclb9GYT6m2Q2xOACeNxRM OSZ++BaVh/qCTmsiTn53FGI= =w9fO -----END PGP SIGNATURE----- --==_Exmh_1172085351_67328P--