No network without open firewall. What am I missing?

F

fredBSD

I'm stumped. I'm obviously missing something obvious, so I need your help.

A headless PC running FreeBSD-6.4 gets its RFC1918 IP by dhcp from a Vigor 2820 router. It can only be pinged or connected to if the following lines exist in /etc/rc.conf:

firewall_enable="YES"
firewall_type="open"

Without those lines it's completely dead to the world and remains dead if I enable pf with the most open rules I can come up with:

Code: 
pass in quick on lo0 all
pass out quick on lo0 all

pass in log from any to any
pass out log from any to any
ifconfig shows it has the usual IP and is up and active, but I rather think it's using details from an old lease rather than getting a new one.

In fact, I've just discovered that without the two firewall_ lines I can't even ping 127.0.0.1 which has to be a major clue, but I'm tired and just can't get my head around it at the moment...

Thanks in advance.
 
fredBSD said:
firewall_enable="YES"
firewall_type="open"

Without those lines it's completely dead to the world and remains dead if I enable pf with the most open rules I can come up with...
Click to expand...

Note that the firewall_* directives refer to ipfw (not pf). It sounds like you're loading ipfw.ko (which has a default deny rule) and then when you remove your "open" ruleset you force it to fall back to its deny rule.

To confirm this:

# kldstat | grep ipfw

# ipfw list
 
Thanks anomie, it was enough for me to realise what I had done. With the two ipfw lines in rc.conf:

# kldstat | grep ipfw
returned nothing!

Two other network interfaces were previously used as a dummynet bridge. I had compiled ipfw into the kernel to get it working and, as you said, without the "open" ruleset it was denying everything.

Luckily the kernel in /boot/kernel.old/ was generic and it's now in use and my sanity is restored :)
 
You must log in or register to reply here.
Back
Top