On 2/1/07, Dewayne Geraghty <[EMAIL PROTECTED]> wrote:
Hmm - I have a 9 firewalls in different locations and the information that you've provided seems ok. Kernel options are ok, rc.conf looks ok, is there a "client" option still in your rc.firewall. The deny rule is always the last as its meant to protect the environment in case of rc.firewall not working. Could you try script /tmp/ipfw.lis /etc/rc.d/ipfw restart And examine the output as that is sure to tell you where the hangup is. There be a rule in the rc.firewall that makes it hang/stop. (tired fingers sometimes leave remnant char around).
I tried executing "/etc/rc.d/ipfw restart" and sure enough, it showed that one of my firewall rules was mistakenly entered as "addpass" while it should've been "add pass". I corrected the typo, but the strange thing is, when I reboot, it still doesn't work! Running the firewall command manually works without error, but it isn't executed at boot.. Any other ideas? I was sure that the typo was the problem, unfortunately that's not the case. Oh well, at least it seems I'm getting closer to a solution! Thanks, Mike Regards, Dewayne.
-----Original Message----- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of The Admiral Sent: Friday, 2 February 2007 11:11 AM To: [email protected] Subject: Re: rc.firewall script not running at system boot Hi Dewayne, thanks for the response, although I tried enclosing the YES option in quotes but it didn't make a difference. Mike On 2/1/07, Dewayne Geraghty <[EMAIL PROTECTED]> wrote: > > Put quotes around gateway_enable="YES" > Regards, Dewayne. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] > On Behalf Of The Admiral > Sent: Friday, 2 February 2007 8:04 AM > To: [email protected] > Subject: rc.firewall script not running at system boot > > We had a power outage last night and I arrived at work today to find > that one of our machines no longer has network access (one of the few > machines not on a battery backup unit). I checked to see what > firewall rules were enabled and the only one that was active was to > deny all. It seems as though my rc.firewall script wasn't run > automatically when the system booted. I rebooted to double check and > sure enough the only rule enabled was the deny all rule. My rc.conffile has the following: > > --------------------------------------------------------------- > hostname="dev" > > ifconfig_em0="inet 192.168.1.120 netmask 255.255.255.0" > ifconfig_vr0="inet 224.87.34.72 netmask 255.255.255.248" #real IP > hidden > on purpose > > defaultrouter="224.87.34.71" > > gateway_enable=YES > firewall_enable="YES" # Set to YES to enable firewall functionality > firewall_script="/etc/rc.firewall" # Which script to run to set up the > firewall > firewall_type="client" # Firewall type (see /etc/rc.firewall) > > --------------------------------------------------------------- > > my kernel configuration file has the following: > > --------------------------------------------------------------- > > options IPFIREWALL # required to use ipfw > options IPFIREWALL_FORWARD > options IPDIVERT # required for natd > options IPFIREWALL_VERBOSE # Enables logging of packets that > pass > through IPFW and have the 'log' keyword specified in the rule set. > > --------------------------------------------------------------- > > When I run the rc.firewall script directly (sudo /etc/rc.firewall > client) all my rulesets are enabled as they should, however, the > rc.firewall file isn't being executed at system boot, which I'd like > to resolve, since it means that the machine will be inaccessible if > the machine is rebooted for whatever reason, and no one is there to > manually execute the firewall script from the console. The strange > thing is, the last time I manually rebooted the machine, the script > was executed without a problem.. The machine hasn't been rebooted for > a while though, and a lot of the software has been updated in the > meantime, so I'm thinking that may be the cause, but I'm still unsure > how to go about fixing this. Any help is greatly appreciated, thanks. > > Mike > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
