Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Feb 2004 13:30:27 -1000 (HST)
From:      Vincent Poy <vince@oahu.WURLDLINK.NET>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   Re: HEADSUP: Sleep queues added to kernel, so be careful.
Message-ID:  <20040228131212.G8264-100000@oahu.WURLDLINK.NET>
In-Reply-To: <Pine.NEB.3.96L.1040228172334.24114O-100000@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 28 Feb 2004, Robert Watson wrote:

> On Sat, 28 Feb 2004, Vincent Poy wrote:
>
> > > > What seems to happen for me is that I was originally on a September 23,
> > > > 2003 -CURRENT and then applied all /etc updates and then according to
> > > > src/UPDATING - I did a make buildworld, followed by a make buildkernel,
> > > > make installkernel and rebooted and things were still working.  Then I
> > > > did a make installworld and then recvsupped with the latest tree which
> > > > had src/sbin/savecore/savecore.c 1.68 as the latest thing, then repeated
> > > > the make buildworld, make buildkernel, make installkernel, make
> > > > installworld but this time as soon as I rebooted, the network seems to
> > > > not work at all.  I can't get past the machine.  Is this something
> > > > broken with ipfw since I can't ping the public IP but I can ping the
> > > > local 192.168.0.1 address but not anything beyond that and is connected
> > > > at 100Mbps Full Duplex.  Tried switching both NIC cards and cables just
> > > > in case they decided to fail but no go either.
> > >
> > > Could you confirm that your userspace and userland are really 100% in
> > > sync?  If you run without IPFW, do things work properly?
> >
> > 	Yep, they are in sync.  I guess I stayed up all night trying to
> > figure it out and right before your message, that's what I decided to do
> > by changing my /etc/rc.conf for firewall_enable="NO" from "YES" even
> > though I left the firewall_type="open".  My /etc/rc.firewall script does
> > use pipe and queues from dummynet so I don't know if that has an effect
> > or not.  But anyways, with the firewall disabled, this time ping and
> > traceroute doesn't seem to get anywhere and "ipfw show" shows:  65535
> > 299 19878 deny ip from any to any so I did a "ipfw add 65000 allow all
> > from any to any" and then the box can reach the outside fine so it seems
> > like either the ipfw or dummynet is broken.
>
> I'm not sure I quite understand the various configurations from your
> description, it seems like there's a number of variables floating around.
> Could you send a copy of your firewall rules and pertinent rc.conf entries
> so I can take a look?  Also, could you lay out the various cases a little
> more clearly -- something like the following:
> ipfw loaded	ipfw enabled	local traffic	non-local traffic
> no		no		?		?
> yes		no		?		?
> yes		yes		?		?

	I tried using the default /etc/rc.firewall just to isolate any
issues and just tried a few things prior to writing this message and think
I have it nailed down.  But the question to the above ?'s is really all no
because of the rule 50 divert natd allow ip from any to any.  Once I
remove rule 50, everything works again.  ipfw shows the following:

00050    0      0 divert 8668 from any to any via xl0
00100  820  91178 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
65000  668 224710 allow ip from any to any
65535    0      0 deny ip from any to any

My /etc/rc.conf contains the following:

firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="open"            # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="YES"          # Set to YES to enable events logging
firewall_flags=""               # Flags passed to ipfw when type is a file

natd_program="/sbin/natd"       # path to natd, if you want a different  one.
natd_enable="YES"               # Enable natd (if firewall_enable == YES).
natd_interface="xl0"            # Public interface or IPaddress to use.
natd_flags=""                   # Additional flags for natd.
ipfilter_enable="NO"            # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see examples
ipfilter_flags=""               # additional flags for ipfilter
ipnat_enable="NO"               # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat"     # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat
ipnat_flags=""                  # additional flags for ipnat

network_interfaces="lo0 xl0"    # List of network interfaces (or "auto").
cloned_interfaces=""            # List of cloned network interfaces to create.
#cloned_interfaces="gif0 gif1 gif2 gif3" # Pre-cloning GENERIC config.
ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.
ifconfig_xl0=""
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
#ifconfig_ed0_ipx="ipx 0x00010010"      # Sample IPX address family entry.
### Network routing options: ###
defaultrouter="208.201.244.1"           # Set to default gateway (or NO).
static_routes=""                # Set to static route list (or leave empty).
natm_static_routes=""           # Set to static route list for NATM (or leave empty).
gateway_enable="YES"            # Set to YES if this host will be a gateway.
router_enable="NO"              # Set to YES to enable a routing daemon.
router="/sbin/routed"           # Name of routing daemon to use if enabled.
router_flags="-q"               # Flags for routing daemon.

My interfaces IP's are done via a script:

/etc/start_if.xl0 which contains:
/sbin/ifconfig xl0 inet 208.201.244.224 netmask 255.255.255.0
/sbin/ifconfig xl0 inet 192.168.0.1 netmask 255.255.255.0 alias

And /etc/rc.firewall is just a unmodified 1.47 directly copied from
src/etc/rc.firewall.

> Note that if ipfw is loaded but you haven't configured rules, the default
> rule is to deny all IP traffic, implementing a fail closed/conservative
> model.  This means that if ipfw is loaded, you need to have at least one
> accept rule in place.  "open" is supposed to get things somewhat open at
> least.

	I was under the assumption that if you had:

firewall_enable="NO"           # Set to YES to enable firewall functionality

in /etc/rc.conf, it would disable ipfw from being loaded.  open is what I
am using since that seems to add a rule 100, 200, 300 as well as a 65000
and the 65535 but if one had natd_enable in /etc/rc.conf, it adds a rule
50 that diverts to natd from any to any which is the one that seems to be
the problem.


Cheers,
Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
WurldLink Corporation                                  / / / /  | /  | __] ]
San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040228131212.G8264-100000>