Date: Sat, 28 Feb 2004 13:30:27 -1000 (HST) From: Vincent Poy <vince@oahu.WURLDLINK.NET> To: Robert Watson <rwatson@freebsd.org> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: HEADSUP: Sleep queues added to kernel, so be careful. Message-ID: <20040228131212.G8264-100000@oahu.WURLDLINK.NET> In-Reply-To: <Pine.NEB.3.96L.1040228172334.24114O-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 28 Feb 2004, Robert Watson wrote: > On Sat, 28 Feb 2004, Vincent Poy wrote: > > > > > What seems to happen for me is that I was originally on a September 23, > > > > 2003 -CURRENT and then applied all /etc updates and then according to > > > > src/UPDATING - I did a make buildworld, followed by a make buildkernel, > > > > make installkernel and rebooted and things were still working. Then I > > > > did a make installworld and then recvsupped with the latest tree which > > > > had src/sbin/savecore/savecore.c 1.68 as the latest thing, then repeated > > > > the make buildworld, make buildkernel, make installkernel, make > > > > installworld but this time as soon as I rebooted, the network seems to > > > > not work at all. I can't get past the machine. Is this something > > > > broken with ipfw since I can't ping the public IP but I can ping the > > > > local 192.168.0.1 address but not anything beyond that and is connected > > > > at 100Mbps Full Duplex. Tried switching both NIC cards and cables just > > > > in case they decided to fail but no go either. > > > > > > Could you confirm that your userspace and userland are really 100% in > > > sync? If you run without IPFW, do things work properly? > > > > Yep, they are in sync. I guess I stayed up all night trying to > > figure it out and right before your message, that's what I decided to do > > by changing my /etc/rc.conf for firewall_enable="NO" from "YES" even > > though I left the firewall_type="open". My /etc/rc.firewall script does > > use pipe and queues from dummynet so I don't know if that has an effect > > or not. But anyways, with the firewall disabled, this time ping and > > traceroute doesn't seem to get anywhere and "ipfw show" shows: 65535 > > 299 19878 deny ip from any to any so I did a "ipfw add 65000 allow all > > from any to any" and then the box can reach the outside fine so it seems > > like either the ipfw or dummynet is broken. > > I'm not sure I quite understand the various configurations from your > description, it seems like there's a number of variables floating around. > Could you send a copy of your firewall rules and pertinent rc.conf entries > so I can take a look? Also, could you lay out the various cases a little > more clearly -- something like the following: > ipfw loaded ipfw enabled local traffic non-local traffic > no no ? ? > yes no ? ? > yes yes ? ? I tried using the default /etc/rc.firewall just to isolate any issues and just tried a few things prior to writing this message and think I have it nailed down. But the question to the above ?'s is really all no because of the rule 50 divert natd allow ip from any to any. Once I remove rule 50, everything works again. ipfw shows the following: 00050 0 0 divert 8668 from any to any via xl0 00100 820 91178 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 668 224710 allow ip from any to any 65535 0 0 deny ip from any to any My /etc/rc.conf contains the following: firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="open" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="YES" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="xl0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. ipfilter_enable="NO" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see examples ipfilter_flags="" # additional flags for ipfilter ipnat_enable="NO" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat network_interfaces="lo0 xl0" # List of network interfaces (or "auto"). cloned_interfaces="" # List of cloned network interfaces to create. #cloned_interfaces="gif0 gif1 gif2 gif3" # Pre-cloning GENERIC config. ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. ifconfig_xl0="" #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. #ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry. ### Network routing options: ### defaultrouter="208.201.244.1" # Set to default gateway (or NO). static_routes="" # Set to static route list (or leave empty). natm_static_routes="" # Set to static route list for NATM (or leave empty). gateway_enable="YES" # Set to YES if this host will be a gateway. router_enable="NO" # Set to YES to enable a routing daemon. router="/sbin/routed" # Name of routing daemon to use if enabled. router_flags="-q" # Flags for routing daemon. My interfaces IP's are done via a script: /etc/start_if.xl0 which contains: /sbin/ifconfig xl0 inet 208.201.244.224 netmask 255.255.255.0 /sbin/ifconfig xl0 inet 192.168.0.1 netmask 255.255.255.0 alias And /etc/rc.firewall is just a unmodified 1.47 directly copied from src/etc/rc.firewall. > Note that if ipfw is loaded but you haven't configured rules, the default > rule is to deny all IP traffic, implementing a fail closed/conservative > model. This means that if ipfw is loaded, you need to have at least one > accept rule in place. "open" is supposed to get things somewhat open at > least. I was under the assumption that if you had: firewall_enable="NO" # Set to YES to enable firewall functionality in /etc/rc.conf, it would disable ipfw from being loaded. open is what I am using since that seems to add a rule 100, 200, 300 as well as a 65000 and the 65535 but if one had natd_enable in /etc/rc.conf, it adds a rule 50 that diverts to natd from any to any which is the one that seems to be the problem. Cheers, Vince - vince@WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040228131212.G8264-100000>