RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS
David Wolfskill
david at catwhisker.org
Thu Aug 19 08:59:20 PDT 2004
>Date: Thu, 19 Aug 2004 11:43:34 -0400
>From: Barney Wolff <barney at databus.com>
>To: current at freebsd.org
>Subject: Re: RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS
>Sender: owner-freebsd-current at freebsd.org
>I was inspired by the PFIL_HOOKS discussion to check my firewall rules :)
Checking firewall rules is a Good Thing. :-)
>There were none, other than 65535. Apparently, /etc/rc.d/ipfw attempts
>to kldload ipfw, which will fail if ipfw is compiled into the kernel,
>and since the precmd failed, the _cmd will not be run. When did it
>become mandatory to have ipfw as a module, not compiled in? Is there
>some rationale for this? It strikes me as rather dangerous, especially
>for firewalls, especially when default-to-accept is chosen. Am I just
>confused, and missing some obvious bit of config?
Well, color me confused, then:
g1-15(5.2-C)[1] uname -a
FreeBSD g1-15.catwhisker.org 5.2-CURRENT FreeBSD 5.2-CURRENT #273: Wed Aug 18 15:55:18 PDT 2004 root at g1-15.catwhisker.org:/common/S2/obj/usr/src/sys/LAPTOP_30W i386
g1-15(5.2-C)[2] sudo ipfw list
Password:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
....
03200 deny log ip from any to any
65535 deny ip from any to any
g1-15(5.2-C)[3] kldstat
Id Refs Address Size Name
1 7 0xc0400000 4b9ac4 kernel
2 14 0xc08ba000 536b0 acpi.ko
3 1 0xc1829000 17000 linux.ko
g1-15(5.2-C)[4]
Or am I missing your point?
>Is it relevant that my /usr is on vinum, and the rules are in /usr/local/etc?
Hmm... dunno. I'm not using vinum, and my rules are created via a shell
script from a template on /etc (via dhcp-exit-hooks).
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Evidence of curmudgeonliness: becoming irritated with the usage of the
word "speed" in contexts referring to quantification of network
performance, as opposed to "bandwidth" or "latency."
More information about the freebsd-current
mailing list