From owner-freebsd-current@FreeBSD.ORG Wed Sep 24 05:51:58 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01C4216A4B3 for ; Wed, 24 Sep 2003 05:51:58 -0700 (PDT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F6DA44031 for ; Wed, 24 Sep 2003 05:51:57 -0700 (PDT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) h8OCpusw003727; Wed, 24 Sep 2003 05:51:56 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.9p1/8.12.9/Submit) id h8OCptBE003726; Wed, 24 Sep 2003 05:51:56 -0700 (PDT) (envelope-from david) Date: Wed, 24 Sep 2003 05:51:56 -0700 (PDT) From: David Wolfskill Message-Id: <200309241251.h8OCptBE003726@bunrab.catwhisker.org> To: conrads@cox.net, freebsd-current@freebsd.org In-Reply-To: <20030924055812.GA1702@cox.net> Subject: Re: dhclient/ipfw conflict on boot X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 12:51:58 -0000 >Date: Wed, 24 Sep 2003 00:58:12 -0500 >From: "Conrad J. Sabatier" >To: freebsd-current@freebsd.org >Subject: dhclient/ipfw conflict on boot >I just ran into this today after upgrading. It seems that dhclient is >unable to initialize properly at boot time, due to the prior initialization >of ipfw2 (default to deny policy). As all traffic is denied until my >firewall ruleset gets loaded (not until just after dhclient fails), it's >unable to communicate with my ISP's DHCP server. >This should be a quick and easy fix, right? :-) Well, my approach to a "quick and easy fix" is "Don't do that." For my laptop, I set up an ipfw specification that, on boot, only permitted DHCP traffic. Then in /etc/dhclient-exit-hooks, once I've got a lease, I invoke a different script that flushes the old rules and creates a new set, based on such things as my new IP address and the address of the DHCP server. Also in /etc/dhclient-exit-hooks, if it's invoked when dhclient is exiting (leaving the network), the script re-invokes the "default" ipfw script. Peace, david -- David H. Wolfskill david@catwhisker.org If you want true virus-protection for your PC, install a non-Microsoft OS on it. Plausible candidates include FreeBSD, Linux, NetBSD, OpenBSD, and Solaris (in alphabetical order).