From owner-freebsd-questions  Tue May 28 14:38: 3 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6B43937B405; Tue, 28 May 2002 14:37:55 -0700 (PDT)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g4SLbr3d025038;
	Tue, 28 May 2002 14:37:54 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.3/8.12.3/Submit) id g4SLbrun025037;
	Tue, 28 May 2002 14:37:53 -0700 (PDT)
	(envelope-from dillon)
Date: Tue, 28 May 2002 14:37:53 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200205282137.g4SLbrun025037@apollo.backplane.com>
To: Irwan Hadi <irwanhadi@phxby.com>,
	Jeff Jirsa <jeff@boris.st.hmc.edu>, Irwan Hadi <irwanhadi@phxby.com>,
	freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Subject: Re: Server won't boot after recompile the kernel with ipfw support
References: <20020528142640.A22370@phxby.com> <20020528133316.S16405-100000@boris.st.hmc.edu> <20020528150941.A24676@phxby.com> <200205282131.g4SLVmYZ024980@apollo.backplane.com>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

   Oh, I forgot to mention.  A very common mistake when upgrading a system
   is to install a new kernel without installing a new world, or to install
   a new world without installing a new kernel.

   This can create a situation where the machine is unable to add any firewall
   rules, resulting in the network being permanently disabled.  This occurs
   when the kernel structures used by the 'ipfw' binary are incompatible
   with the structures the running kernel expects.

   It is very important when upgrading a machine to install both a new kernel
   AND A new world before rebooting.  Alternatively if you compile a custom
   kernel and set the IPFIREWALL_DEFAULT_TO_ACCEPT option in addition to
   the IPFIREWALL option, then at least the kernel will boot into a default
   state that allows the network to work, even if the ipfw binary is broken.

						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message