7.3 to 8.1 problems - can't figure it out!

[Dobbler]

I posted this in the firewall subforum but I think it belongs here instead. Sorry for the double-post but I need this resolved quickly.

Upgraded from 7.3 to 8.1. No errors.

This box is my firewall, and after the upgrade it's not passing ANY traffic. I have not changed any lines in ipf.rules or ipnat.rules. I've been running ipfilter and ipnat since the says of 2.2.1!

Something is wrong with ipfilter either not loading, not reading the rules (defaulting to block all in and out) or something else is in the way. I'm curious as to why I have an interface labeled ipfw0 (???)

I tried enabling ipfilter and ipnat (I assume this is the same as ipdivert ?) in /boot/loader.conf:

ipfilter_load="YES"
ipdivert_load="YES"

During boot I see ipmon startup. ipmon, ipfilter and ipnat are enabled in rc.conf. I didn't change anything in rc.conf after the upgrade. Everything worked perfectly with 7.3.

So how do I get my box passing traffic again???

 

[Dobbler]

Ok, so ipfw was on. I turned it off with "ipfw disable firewall"

How do I get it to stay off permanently (after reboot). And still want to know how to remove or disable the ipfw interface.

 

[Dobbler]

So short of making a custom kernel, is there no way to disable ipfw at boot?

 

[teckk]

http://www.freebsd.org/doc/handbook/firewalls-ipfw.html

Does the handbook help? Did you build it into the kernel? Looks like you have to be loading
it somewhere.

 

[wblock@]

So short of making a custom kernel, is there no way to disable ipfw at boot???

It's not in the 8.x GENERIC kernel. Have a look at /boot/loader.conf.

 

[Dobbler]

It's not in /boot/loader.conf -- it was and is still empty

If it was in the 7.3 kernel, would it remain in the 8.1 kernel after upgrade?

 

[SirDice]

If it was in the 7.3 kernel, would it remain in the 8.1 kernel after upgrade?

It wasn't in the 7.x GENERIC kernels either.

 

[Dobbler]

Well ipfw disable firewall after boot solves the problem. But I'd like to properly disable, or better yet, never enable it, at boot. How best should I do this?

 

[wblock@]

You could show your /etc/rc.conf and output of 'uname -a' for a start.

 

[Dobbler]

uname -a
[

FreeBSD tide 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010     
[email]root@almeida.cse.buffalo.edu[/email]:/usr/obj/usr/src/sys/GENERIC  i386"]

I've replaced the external ip address with xx.xx.xx.xx below. /etc/rc.conf

# Interfaces
ifconfig_em0="inet 10.0.0.5  netmask 255.255.255.0"
ifconfig_dc0="inet xx.xx.xx.xx netmask 255.255.255.0 mtu 1500"
hostname="tide"

# Routing
# defaultrouter="10.0.0.10"
defaultrouter="xx.xx.xx.xx"
gateway_enable="YES"
router="/sbin/routed"
router_enable="YES"
router_flags="-s"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

# Firewall
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dsvn"

# inetd
inetd_enable="YES"

# NFS
nfs_client_enable="YES"

# Mail
#sendmail_enable="YES"
postfix_enable="YES"

# sshd
sshd_enable="YES"

# samba
samba_enable="YES"

 

[Dobbler]

Whooops, the uname results got removed. Is there no edit on these forums?

uname -a output:

FreeBSD tide 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010     
[email]root@almeida.cse.buffalo.edu[/email]:/usr/obj/usr/src/sys/GENERIC  i386

 

[wblock@]

Check that the default firewall_enable hasn't been changed in /etc/defaults/rc.conf.

Oh, and also look for /etc/rc.local, which could load it.

 

[Dobbler]

/etc/rc.local does not exist

All entries with the string 'firewall' in /etc/defaults/rc.conf:

### Basic network and firewall/security options: ###
firewall_enable="NO"            # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN"         # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="NO"           # Set to YES to enable events logging
firewall_flags=""               # Flags passed to ipfw when type is a file
firewall_coscripts=""           # List of executables/scripts to run after
                                # firewall starts/stops
firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
                                # firewall.
#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
                                # "client" firewall.
firewall_simple_iif="ed1"       # Inside network interface for "simple"
                                # firewall.
firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"
                                # firewall.
firewall_simple_oif="ed0"       # Outside network interface for "simple"
                                # firewall.
firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
                                # firewall.
#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple"
                                # firewall.
#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix
                                # for "simple" firewall.
#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple"
                                # firewall.
#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
                                # for "simple" firewall.
firewall_myservices=""          # List of TCP ports on which this host
                                # offers services for "workstation" firewall.
firewall_allowservices=""       # List of IPs which have access to
                                # $firewall_myservices for "workstation"
                                # firewall.
firewall_trusted=""             # List of IPs which have full access to this
                                # host for "workstation" firewall.
firewall_logdeny="NO"           # Set to YES to log default denied incoming
                                # packets for "workstation" firewall.
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
                                # logged for "workstation" firewall.
firewall_nat_enable="NO"        # Enable kernel NAT (if firewall_enable == YES)
firewall_nat_interface=""       # Public interface or IPaddress to use
firewall_nat_flags=""           # Additional configuration parameters
natd_enable="NO"                # Enable natd (if firewall_enable == YES).

 

[wblock@]

/boot/defaults/loader.conf default changed?

The only other idea I have is just a brute-force check of all of /etc/:
# find /etc -exec grep -ir ipfw {} \+ | less