Date: Sun, 16 Nov 1997 13:37:30 -0500 (EST) From: Robert N Watson <rnw@andrew.cmu.edu> To: Studded <Studded@dal.net> Cc: Alex Nash <nash@Mcs.Net>, FreeBSD Stable List <FreeBSD-Stable@FreeBSD.ORG> Subject: Re: Serious problem with ipfw in 11/10 Snap Message-ID: <Pine.SOL.3.95L.971116133300.1754A-100000@apriori.cc.cmu.edu> In-Reply-To: <199711152131.NAA01650@mail.san.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Nov 1997, Studded wrote: > On Fri, 14 Nov 1997 19:42:01 -0600 (CST), Alex Nash wrote: > > >On Fri, 14 Nov 1997, Studded wrote: > > >> More detail on the problem in case it's useful. > >> > >> 1. The rule appeared as 00000 deny ip from any to any > >> 2. That rule, and only that rule persisted after a flush. > >> 3. IPFW was able to load my usual (well-tested) rc.firewall script just > >> fine, but none of the rules in it mattered because the 00000 rule was > >> always parsed first. > > > >It shouldn't be possible to generate a rule with #0 since that has a > >special meaning to the kernel -- that is, insert this rule after the > >highest numbered rule. I looked at the code, but can't see any way that > >this could happen. > > > >Just out of curiosity, did you also see the 65535 deny all rule? > > I had to get a copy of the log where the tech was explaining the > problem to me, and according to him, when he did a flush the only rule > present was 00000 deny ip from any to any. I asked him to double-check, > and he copied it exactly. Make sure you installed a revised ipfw. Something changed there, I think, as when I switched from 2.2.2 to stable a few weeks ago on my servers, I ran into exactly the same problem. A rule 00000 existed that denied all packets, and the ipfw delete call did not work (gave a interface error of some kind -- probably sctl, but don't recall). Since I could not insert any rules before it, I could not bring the network up. Fortunately, the machine had a floppy drive, so I did a buildworld on our build machine, stuck the new ipfw on a floppy, and took it on over. The moral really was that if you're going to make the leap to stable, do it for everything and not just the kernel. :) In particular, make sure that the /usr/include stuff is installed before building ipfw. With a new ipfw, the problem magically went away. I may have been misinterpreting both the symptoms and the solution, but I just thought I'd note that I had had a similar problem in a similar situation, and that a rebuild and update of includes and ipfw fixed it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.95L.971116133300.1754A-100000>