Radek Kozlowski wrote: > I upgraded a remote dedicated server from 5.1 to 5.3-BETA1 today with a > step by step procedure described in /usr/src/Makefile and everything > went ok. Well, almost. I compiled the kernel (took the GENERIC conf > from 5.3, so options PFIL_HOOKS is already there) with: > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > > put firewall_enable="YES", firewall_type="open" in rc.conf, rebooted and > locked myself out (world and kernel are in sync, before someone asks). > After I could access the box again I tried to see what was wrong: > > root_at_wesside:~# ipfw show > 00100 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > root_at_wesside:~# ping yahoo.com > PING yahoo.com (66.94.231.98): 56 data bytes > 64 bytes from 66.94.231.98: icmp_seq=0 ttl=58 time=3.324 ms > 64 bytes from 66.94.231.98: icmp_seq=1 ttl=54 time=5.138 ms > 64 bytes from 66.94.231.98: icmp_seq=2 ttl=58 time=3.671 ms > ^C > --- yahoo.com ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 3.324/4.044/5.138/0.786 ms > root_at_wesside:~# ipfw show > 00100 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > > Why aren't the packet and byte counters increased? > > Since the firewall was totally unresponsive to any rulset changes I > removed above options from the kernel and decided to try the module > instead. With firewall_type="open" left in rc.conf (but firewall_enable > changed to "NO") I executed > `kldload /boot/kernel/ipfw.ko && sh /etc/rc.firewall ; sleep 100 ; > kldunload ipfw ; sleep 200 ; reboot` and locked myself out again. I > don't know what really happend and am still waiting for the reply from > the support team of the hosting company, but is it me or there's > something wrong with ipfw? Anyone else seeing this? There is no known problem with ipfw. I can only speculate but it might be that your /sbin/ipfw is out of sync with the kernel despite a make world. Other than that could provide the output of 'ifconfig -a'? -- AndreReceived on Thu Aug 26 2004 - 08:28:36 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:08 UTC