On Thu, Aug 19, 2004 at 12:04:45PM -0400, Barney Wolff wrote: > On Thu, Aug 19, 2004 at 06:54:13PM +0300, Ruslan Ermilov wrote: > > On Thu, Aug 19, 2004 at 11:43:34AM -0400, Barney Wolff wrote: > > > I was inspired by the PFIL_HOOKS discussion to check my firewall rules :) > > > There were none, other than 65535. Apparently, /etc/rc.d/ipfw attempts > > > to kldload ipfw, which will fail if ipfw is compiled into the kernel, > > > and since the precmd failed, the _cmd will not be run. When did it > > > become mandatory to have ipfw as a module, not compiled in? Is there > > > some rationale for this? It strikes me as rather dangerous, especially > > > for firewalls, especially when default-to-accept is chosen. Am I just > > > confused, and missing some obvious bit of config? > > > > > > Is it relevant that my /usr is on vinum, and the rules are in /usr/local/etc? > > > > > net.inet.ip.fw.enable is gone, and it upsets /etc/rc.d/ipfw. > > I asked Andre to follow up on this. > > Yes, but aside from that, ipfw_precmd returns 1 if the kldload fails, > which if I'm not confused causes ipfw_start not to be run. At least > that's what my system as of 8/17/04 says. > Barney > Yes sure. Non-existing sysctl causes kldload to be attempted, that fails (because the module already exists), and the whole /etc/rc.d/ipfw is aborted. Cheers, -- Ruslan Ermilov ru_at_FreeBSD.org FreeBSD committer
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:07 UTC