From owner-freebsd-current@FreeBSD.ORG Thu Sep 25 04:11:40 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FB3316A4B3 for ; Thu, 25 Sep 2003 04:11:40 -0700 (PDT) Received: from lakemtao03.cox.net (lakemtao03.cox.net [68.1.17.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2C7044032 for ; Thu, 25 Sep 2003 04:11:36 -0700 (PDT) (envelope-from conrads@ip68-14-60-78.no.no.cox.net) Received: from ip68-14-60-78.no.no.cox.net ([68.14.60.78]) by lakemtao03.cox.netESMTP <20030925111133.BLUB14673.lakemtao03.cox.net@ip68-14-60-78.no.no.cox.net>; Thu, 25 Sep 2003 07:11:33 -0400 Received: from ip68-14-60-78.no.no.cox.net (localhost [127.0.0.1]) h8PBBDUE001316; Thu, 25 Sep 2003 06:11:14 -0500 (CDT) (envelope-from conrads@ip68-14-60-78.no.no.cox.net) Received: (from conrads@localhost)h8PBB4gc001315; Thu, 25 Sep 2003 06:11:04 -0500 (CDT) (envelope-from conrads) Date: Thu, 25 Sep 2003 06:11:04 -0500 From: "Conrad J. Sabatier" To: David Wolfskill Message-ID: <20030925111104.GA808@cox.net> References: <20030924055812.GA1702@cox.net> <200309241251.h8OCptBE003726@bunrab.catwhisker.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200309241251.h8OCptBE003726@bunrab.catwhisker.org> User-Agent: Mutt/1.5.4i cc: freebsd-current@freebsd.org Subject: Re: dhclient/ipfw conflict on boot X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 11:11:40 -0000 On Wed, Sep 24, 2003 at 05:51:56AM -0700, David Wolfskill wrote: > >From: "Conrad J. Sabatier" > >Subject: dhclient/ipfw conflict on boot > > >I just ran into this today after upgrading. It seems that dhclient is > >unable to initialize properly at boot time, due to the prior initialization > >of ipfw2 (default to deny policy). As all traffic is denied until my > >firewall ruleset gets loaded (not until just after dhclient fails), it's > >unable to communicate with my ISP's DHCP server. > > >This should be a quick and easy fix, right? :-) > > Well, my approach to a "quick and easy fix" is "Don't do that." > > For my laptop, I set up an ipfw specification that, on boot, only > permitted DHCP traffic. > > Then in /etc/dhclient-exit-hooks, once I've got a lease, I invoke a > different script that flushes the old rules and creates a new set, based > on such things as my new IP address and the address of the DHCP server. > > Also in /etc/dhclient-exit-hooks, if it's invoked when dhclient is > exiting (leaving the network), the script re-invokes the "default" ipfw > script. Interesting. I'll have to setup something like that here. I was hoping that maybe it was because I had been forcing the ipfw module to load from /boot/loader.conf. But disabling that didn't help. :-( -- Conrad Sabatier - "In Unix veritas"