RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS

[David Wolfskill]

>Date: Thu, 19 Aug 2004 11:43:34 -0400
>From: Barney Wolff <barney at databus.com>
>To: current at freebsd.org
>Subject: Re: RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS
>Sender: owner-freebsd-current at freebsd.org

>I was inspired by the PFIL_HOOKS discussion to check my firewall rules :)

Checking firewall rules is a Good Thing.  :-)

>There were none, other than 65535.  Apparently, /etc/rc.d/ipfw attempts
>to kldload ipfw, which will fail if ipfw is compiled into the kernel,
>and since the precmd failed, the _cmd will not be run.  When did it
>become mandatory to have ipfw as a module, not compiled in?  Is there
>some rationale for this?  It strikes me as rather dangerous, especially
>for firewalls, especially when default-to-accept is chosen.  Am I just
>confused, and missing some obvious bit of config?

Well, color me confused, then:

g1-15(5.2-C)[1] uname -a
FreeBSD g1-15.catwhisker.org 5.2-CURRENT FreeBSD 5.2-CURRENT #273: Wed Aug 18 15:55:18 PDT 2004     root at g1-15.catwhisker.org:/common/S2/obj/usr/src/sys/LAPTOP_30W  i386
g1-15(5.2-C)[2] sudo ipfw list
Password:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
....
03200 deny log ip from any to any
65535 deny ip from any to any
g1-15(5.2-C)[3] kldstat
Id Refs Address    Size     Name
 1    7 0xc0400000 4b9ac4   kernel
 2   14 0xc08ba000 536b0    acpi.ko
 3    1 0xc1829000 17000    linux.ko
g1-15(5.2-C)[4] 

Or am I missing your point?

>Is it relevant that my /usr is on vinum, and the rules are in /usr/local/etc?

Hmm... dunno.  I'm not using vinum, and my rules are created via a shell
script from a template on /etc (via dhcp-exit-hooks).

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Evidence of curmudgeonliness:  becoming irritated with the usage of the
word "speed" in contexts referring to quantification of network
performance, as opposed to "bandwidth" or "latency."