Re: RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS

From: Jonathan T. Sage <sagejona_at_theatre.msu.edu>
Date: Thu, 19 Aug 2004 12:04:14 -0400
Ruslan Ermilov wrote:
> On Thu, Aug 19, 2004 at 11:43:34AM -0400, Barney Wolff wrote:
> 
>>I was inspired by the PFIL_HOOKS discussion to check my firewall rules :)
>>There were none, other than 65535.  Apparently, /etc/rc.d/ipfw attempts
>>to kldload ipfw, which will fail if ipfw is compiled into the kernel,
>>and since the precmd failed, the _cmd will not be run.  When did it
>>become mandatory to have ipfw as a module, not compiled in?  Is there
>>some rationale for this?  It strikes me as rather dangerous, especially
>>for firewalls, especially when default-to-accept is chosen.  Am I just
>>confused, and missing some obvious bit of config?
>>
>>Is it relevant that my /usr is on vinum, and the rules are in /usr/local/etc?
>>
> 
> net.inet.ip.fw.enable is gone, and it upsets /etc/rc.d/ipfw.
> I asked Andre to follow up on this.
> 
> 
> Cheers,

this in mind, changing

ipfw_precmd()
{
         if ! ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then
                 if ! kldload ipfw; then
                         warn unable to load firewall module.
                         return 1
                 fi
         fi


to something along the lines of :

ipfw_precmd()
{
         if ! ${SYSCTL} net.inet.ip.fw > /dev/null 2>&1; then
                 if ! kldload ipfw; then
                         warn unable to load firewall module.
                         return 1
                 fi
         fi


should correct the problem until the script maintainer has a chance to 
take a look at exactlly what he/she may want to do.

hope this helps

~j

-- 
Jonathan T. Sage
Theatrical Lighting / Set Designer
Professional Web Design

"He said he likes me, but he's not in-like with me."- Connie, King of 
the Hill

[HTTP://www.JTSage.com]
[HTTP://design.JTSage.com]
[sagejona_at_msu.edu]
[See Headers for Contact Info]

Received on Thu Aug 19 2004 - 14:04:18 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:07 UTC