conf/74610: Hostname resolution failure causes firewall rules to stop loading

[Ceri Davies]

>Number:         74610
>Category:       conf
>Synopsis:       Hostname resolution failure causes firewall rules to stop loading
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 02 10:37:54 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Ceri Davies
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD shrike.private.submonkey.net 4.10-STABLE FreeBSD 4.10-STABLE #51: Wed Dec 1 23:31:06 GMT 2004 root at shrike.private.submonkey.net:/usr/obj/usr/src/sys/SHRIKE i386


	
>Description:

	After upgrading to the above version from a 75 day old 4.10-STABLE,
	one of the hostnames in my firewall rules failed to resolve on
	bootup for some reason (probably because named isn't running at
	that point but I'll worry about that elsewhere).  This resolution
	failure meant that the rest of my rules were not loaded.  From dmesg:

	Flushed all rules.
	01000 allow ip from any to any via lo0
	02000 deny ip from any to 127.0.0.0/8
	03000 deny ip from 127.0.0.0/8 to any
	01050 deny ip from any to any frag
	01200 deny tcp from any to any dst-port 135-137 via fxp0
	01210 deny udp from any to any dst-port 135-137 via fxp0
	01220 pipe 1 tcp from any to any dst-port 2234
	01230 allow ip from any to any via fxp0
	02010 deny udp from 10.133.151.254 to me dst-port 68
	02040 deny log logamount 100 ip from any to 10.0.0.0/8
	02050 deny log logamount 100 ip from any to 172.16.0.0/12
	02060 deny log logamount 10 ip from 172.16.0.0/12 to any
	02070 deny log logamount 100 ip from 10.0.0.0/8 to any
	02080 divert 8668 ip from any to any via vr0
	02090 allow ip from 192.168.10.0/24 to any via vr0
	02100 allow ip from any to 192.168.10.0/24 via vr0
	02110 deny log logamount 100 ip from any to 192.168.0.0/16 via vr0
	02120 deny log logamount 100 ip from 192.168.0.0/16 to any via vr0
	04000 check-state
	04010 allow tcp from any to any out keep-state
	04020 allow udp from any to any dst-port 53 keep-state
	04030 allow udp from any to any out
	Line 44:
	hostname ``bear.zoo.bt.co.uk'' unknown

	Firewall rules loaded, starting divert daemons:
	 natd

	All rules following line 44 (of which there are many) were not loaded.

>How-To-Repeat:

	Add a firewall rule for a hostname that doesn't resolve.  Reboot.
	
>Fix:

	Attempt to load all of the rules, even if one fails.

>Release-Note:
>Audit-Trail:
>Unformatted: