IPFW Ports being blocked with IPFW disabled

Q

Qoo

I'm setting up a FreeBSD router that has not been fully implemented yet so in between sessions I need it for NAS duty.

When I disable IPFW (along with DHCP, NATd and gateway mode) all my ports are being blocked. From within I can access all network services but from another computer, I can't SSH, access NFS/SAMBA nor can I ping the system.

Here is /etc/rc.conf :

Code: 
hostname="Server_18"

#Configure Wired Interafaces
#ifconfig_re0="DHCP"
#ifconfig_re0_ipv6="inet6 accept_rtadv"

ifconfig_ue0="DHCP"
ifconfig_ue0_ipv6="inet6 accept_rtadv"

#Configure Wireless Interface
#wlans_ath0="wlan0"
#ifconfig_wlan0="inet 192.168.1.1 netmask 255.255.255.0"
#hostapd_enable="YES"
#create_args_wlan0="wlanmode hostap"

#Enable Gateway
#gateway_enable="YES"

#Configure NATd
#natd_enable="YES"
#natd_interface="ue0"
#natd_flags="-dynamic -m"

#Configure DHCP Server
#dhcpd_enable="YES"
#dhcpd_ifaces="wlan0"
#dhcpd_ifaces"re0"
#synchronous_dhclient="YES"

#NFS
nfsv4_server_enable="YES"
rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_flags="-r"
mountd_enable="YES"

#ipfw settings
#firewall_enable="YES"
#firewall_type="simple"
#firewall_logging="YES"

#Misc Configs
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
dumpdev="AUTO"
samba_enable="YES"

# Enable DNS Server (Caching)
#local_unbound_enable="YES"
# service -e
Code: 
/etc/rc.d/hostid
/etc/rc.d/hostid_save
/etc/rc.d/cleanvar
/etc/rc.d/ip6addrctl
/etc/rc.d/devd
/etc/rc.d/newsyslog
/etc/rc.d/syslogd
/etc/rc.d/rpcbind
/etc/rc.d/dmesg
/etc/rc.d/mountd
/etc/rc.d/nfsd
/etc/rc.d/virecover
/usr/local/etc/rc.d/samba
/usr/local/etc/rc.d/isc-dhcpd6
/usr/local/etc/rc.d/isc-dhcpd
/etc/rc.d/motd
/etc/rc.d/ntpd
/etc/rc.d/powerd
/etc/rc.d/sshd
/etc/rc.d/sendmail
/etc/rc.d/cron
/etc/rc.d/moused
/etc/rc.d/mixer
/etc/rc.d/gptboot
/etc/rc.d/bgfsck

DHCP service is running even though it is disabled and after a reboot. DHCP Client is also giving me errors on top of other errors being logged in /var/log/messages

/usr/local/etc/dhcpd.conf:
Code: 
# dhcpd.conf

#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...

option domain-name "example.org";
option domain-name-servers 192.168.2.1;
#option subnet-mask 255.255.255.0;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;


# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection)
.log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.152.187.0 netmask 255.255.255.0 {
}

# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
#  range 10.254.239.10 10.254.239.20;
#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# Subnet LAN
subnet 192.168.1.0 netmask 255.255.255.0 {
     range 192.168.1.1 192.168.1.20;
     option routers 192.168.1.1;
     option subnet-mask 255.255.255.0;
}

#subnet 192.168.2.0 netmask 255.255.255.0 {
#    range 192.168.2.1 192.168.2.10;
#    option routers 192.168.2.1;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

subnet 10.254.239.32 netmask 255.255.255.224 {
  range dynamic-bootp 10.254.239.40 10.254.239.60;
  option broadcast-address 10.254.239.31;
  option routers rtr-239-32-1.example.org;
}
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
  range 10.5.5.26 10.5.5.30;
  option domain-name-servers ns1.internal.example.org;
  option domain-name "internal.example.org";
  option routers 10.5.5.1;
  option broadcast-address 10.5.5.31;
  default-lease-time 600;
  max-lease-time 7200;
}

# Hosts which require special configuration options can be listed in
# host statements.   If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

host passacaglia {
  hardware ethernet 0:0:c0:5d:bd:95;
  filename "vmunix.passacaglia";
  server-name "toccata.fugue.com";
}

# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
  hardware ethernet 08:00:07:26:c0:a5;
  fixed-address fantasia.fugue.com;
}

# You can declare a class of clients and then do address allocation
# based on that.   The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}

shared-network 224-29 {
  subnet 10.17.224.0 netmask 255.255.255.0 {
    option routers rtr-224.example.org;
  }

subnet 10.0.29.0 netmask 255.255.255.0 {
    option routers rtr-29.example.org;
  }

  pool {
    allow members of "foo";
    range 10.17.224.10 10.17.224.250;
  }
  pool {
    deny members of "foo";
    range 10.0.29.10 10.0.29.230;
  }
}
What am I doing wrong? Please help.
 

Attachments

Code: 
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $growfs_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $ is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $tcsd_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $svnserve_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $dbus_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $avahi_daemon_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $cupsd_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $bsdstats_enable is not set properly - see rc.conf(5).
May  7 21:58:26 Server_18 root: /usr/sbin/service: WARNING: $avahi_dnsconfd_enable is not set properly - see rc.conf(5).
This looks like you've made a typo in /etc/rc.conf. Probably forgot a quote somewhere.
 
  • Thanks
Reactions: Qoo
A couple of thoughts. It could be that /etc/defaults/rc.conf has been stomped on in some way. The files in /etc/defaults should pretty much never differ from their default state unless you are developing a system patch, and certainly not for any normal configuration. Assuming that you have source installed and in-sync with your installed system, diff /usr/src/etc/defaults/rc.conf /etc/defaults/rc.conf should produce no output.

Alternatively, allowing for those warnings which SirDice highlighted to be odd but unrelated, do you have ipfw_load="YES" in /boot/loader.conf? If you do, or the ipfw module is compiled into the base kernel or loaded (see kldstat(8) for currently loaded modules), all traffic will be blocked by default. To disable ipfw (and allow all traffic), despite the module being loaded, you need the following config in /etc/rc.conf:

Code: 
firewall_enable="YES"
firewall_type="open"
 
You must log in or register to reply here.
Back
Top