Robert Watson rwatson at freebsd.org
Wed Aug 11 14:56:01 PDT 2004

On Wed, 11 Aug 2004, Randy Bush wrote:

> ipfw seems to be starting in some strange state where it has loaded my
> ruleset but does not really process it.  everything ends up in
> unreachable.  if i run `ipfw -q /etc/ipfw.rules`, the same command set
> that's in /etc/rc.conf, it takes off as expected. 

The recent addition of O_ANTISPOOF renumbered the IPFW rule operations, so
if you're using a newer kernel and an older user space, /sbin/ipfw will
think the rules mean one thing, but the kernel will think they mean
another.  The miscreant has been convinced that this is a bad idea (always
append!) but since the damage was done we decided not to thrash the
operator numbers again. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Principal Research Scientist, McAfee Research

More information about the freebsd-current mailing list