conf/74610: Hostname resolution failure causes firewall rules to
stop loading
Ceri Davies
ceri at FreeBSD.org
Thu Dec 2 02:37:54 PST 2004
>Number: 74610
>Category: conf
>Synopsis: Hostname resolution failure causes firewall rules to stop loading
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 02 10:37:54 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Ceri Davies
>Release: FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD shrike.private.submonkey.net 4.10-STABLE FreeBSD 4.10-STABLE #51: Wed Dec 1 23:31:06 GMT 2004 root at shrike.private.submonkey.net:/usr/obj/usr/src/sys/SHRIKE i386
>Description:
After upgrading to the above version from a 75 day old 4.10-STABLE,
one of the hostnames in my firewall rules failed to resolve on
bootup for some reason (probably because named isn't running at
that point but I'll worry about that elsewhere). This resolution
failure meant that the rest of my rules were not loaded. From dmesg:
Flushed all rules.
01000 allow ip from any to any via lo0
02000 deny ip from any to 127.0.0.0/8
03000 deny ip from 127.0.0.0/8 to any
01050 deny ip from any to any frag
01200 deny tcp from any to any dst-port 135-137 via fxp0
01210 deny udp from any to any dst-port 135-137 via fxp0
01220 pipe 1 tcp from any to any dst-port 2234
01230 allow ip from any to any via fxp0
02010 deny udp from 10.133.151.254 to me dst-port 68
02040 deny log logamount 100 ip from any to 10.0.0.0/8
02050 deny log logamount 100 ip from any to 172.16.0.0/12
02060 deny log logamount 10 ip from 172.16.0.0/12 to any
02070 deny log logamount 100 ip from 10.0.0.0/8 to any
02080 divert 8668 ip from any to any via vr0
02090 allow ip from 192.168.10.0/24 to any via vr0
02100 allow ip from any to 192.168.10.0/24 via vr0
02110 deny log logamount 100 ip from any to 192.168.0.0/16 via vr0
02120 deny log logamount 100 ip from 192.168.0.0/16 to any via vr0
04000 check-state
04010 allow tcp from any to any out keep-state
04020 allow udp from any to any dst-port 53 keep-state
04030 allow udp from any to any out
Line 44:
hostname ``bear.zoo.bt.co.uk'' unknown
Firewall rules loaded, starting divert daemons:
natd
All rules following line 44 (of which there are many) were not loaded.
>How-To-Repeat:
Add a firewall rule for a hostname that doesn't resolve. Reboot.
>Fix:
Attempt to load all of the rules, even if one fails.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list