RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS

David Wolfskill david at
Thu Aug 19 08:59:20 PDT 2004

>Date: Thu, 19 Aug 2004 11:43:34 -0400
>From: Barney Wolff <barney at>
>To: current at
>Subject: Re: RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS
>Sender: owner-freebsd-current at

>I was inspired by the PFIL_HOOKS discussion to check my firewall rules :)

Checking firewall rules is a Good Thing.  :-)

>There were none, other than 65535.  Apparently, /etc/rc.d/ipfw attempts
>to kldload ipfw, which will fail if ipfw is compiled into the kernel,
>and since the precmd failed, the _cmd will not be run.  When did it
>become mandatory to have ipfw as a module, not compiled in?  Is there
>some rationale for this?  It strikes me as rather dangerous, especially
>for firewalls, especially when default-to-accept is chosen.  Am I just
>confused, and missing some obvious bit of config?

Well, color me confused, then:

g1-15(5.2-C)[1] uname -a
FreeBSD 5.2-CURRENT FreeBSD 5.2-CURRENT #273: Wed Aug 18 15:55:18 PDT 2004     root at  i386
g1-15(5.2-C)[2] sudo ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
03200 deny log ip from any to any
65535 deny ip from any to any
g1-15(5.2-C)[3] kldstat
Id Refs Address    Size     Name
 1    7 0xc0400000 4b9ac4   kernel
 2   14 0xc08ba000 536b0    acpi.ko
 3    1 0xc1829000 17000    linux.ko

Or am I missing your point?

>Is it relevant that my /usr is on vinum, and the rules are in /usr/local/etc?

Hmm... dunno.  I'm not using vinum, and my rules are created via a shell
script from a template on /etc (via dhcp-exit-hooks).

David H. Wolfskill				david at
Evidence of curmudgeonliness:  becoming irritated with the usage of the
word "speed" in contexts referring to quantification of network
performance, as opposed to "bandwidth" or "latency."

More information about the freebsd-current mailing list