From root@submonkey.net  Thu Dec  2 10:36:34 2004
Return-Path: <root@submonkey.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B46C116A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Dec 2004 10:36:34 +0000 (GMT)
Received: from shrike.submonkey.net (cpc2-cdif3-6-0-cust204.cdif.cable.ntl.com [81.103.67.204])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5800343D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Dec 2004 10:36:34 +0000 (GMT)
	(envelope-from root@submonkey.net)
Received: from root by shrike.submonkey.net with local (Exim 4.43 (FreeBSD))
	id 1CZoLu-0002zC-3S
	for FreeBSD-gnats-submit@freebsd.org; Thu, 02 Dec 2004 10:38:22 +0000
Message-Id: <E1CZoLu-0002zC-3S@shrike.submonkey.net>
Date: Thu, 02 Dec 2004 10:38:22 +0000
From: Ceri Davies <ceri@FreeBSD.org>
Reply-To: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Hostname resolution failure causes firewall rules to stop loading
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         74610
>Category:       conf
>Synopsis:       Hostname resolution failure causes firewall rules to stop loading
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 02 10:37:54 GMT 2004
>Closed-Date:    
>Last-Modified:  Tue Mar 29 15:20:02 GMT 2005
>Originator:     Ceri Davies
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD shrike.private.submonkey.net 4.10-STABLE FreeBSD 4.10-STABLE #51: Wed Dec 1 23:31:06 GMT 2004 root@shrike.private.submonkey.net:/usr/obj/usr/src/sys/SHRIKE i386


	
>Description:

	After upgrading to the above version from a 75 day old 4.10-STABLE,
	one of the hostnames in my firewall rules failed to resolve on
	bootup for some reason (probably because named isn't running at
	that point but I'll worry about that elsewhere).  This resolution
	failure meant that the rest of my rules were not loaded.  From dmesg:

	Flushed all rules.
	01000 allow ip from any to any via lo0
	02000 deny ip from any to 127.0.0.0/8
	03000 deny ip from 127.0.0.0/8 to any
	01050 deny ip from any to any frag
	01200 deny tcp from any to any dst-port 135-137 via fxp0
	01210 deny udp from any to any dst-port 135-137 via fxp0
	01220 pipe 1 tcp from any to any dst-port 2234
	01230 allow ip from any to any via fxp0
	02010 deny udp from 10.133.151.254 to me dst-port 68
	02040 deny log logamount 100 ip from any to 10.0.0.0/8
	02050 deny log logamount 100 ip from any to 172.16.0.0/12
	02060 deny log logamount 10 ip from 172.16.0.0/12 to any
	02070 deny log logamount 100 ip from 10.0.0.0/8 to any
	02080 divert 8668 ip from any to any via vr0
	02090 allow ip from 192.168.10.0/24 to any via vr0
	02100 allow ip from any to 192.168.10.0/24 via vr0
	02110 deny log logamount 100 ip from any to 192.168.0.0/16 via vr0
	02120 deny log logamount 100 ip from 192.168.0.0/16 to any via vr0
	04000 check-state
	04010 allow tcp from any to any out keep-state
	04020 allow udp from any to any dst-port 53 keep-state
	04030 allow udp from any to any out
	Line 44:
	hostname ``bear.zoo.bt.co.uk'' unknown

	Firewall rules loaded, starting divert daemons:
	 natd

	All rules following line 44 (of which there are many) were not loaded.

>How-To-Repeat:

	Add a firewall rule for a hostname that doesn't resolve.  Reboot.
	
>Fix:

	Attempt to load all of the rules, even if one fails.

>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Ceri Davies <ceri@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: conf/74610: Hostname resolution failure causes firewall rules
 to stop loading
Date: Thu, 2 Dec 2004 14:23:29 +0300 (MSK)

 And what is the desired behaviour?  Loading the rest of the rules
 might be dangerous as well.   There are "ipfw -n" and "ipfw set",
 and check'n'load approach will solve the problem.
 
 -- 
 Maxim Konovalov

From: Ceri Davies <ceri@submonkey.net>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: conf/74610: Hostname resolution failure causes firewall rules to stop loading
Date: Thu, 2 Dec 2004 11:52:15 +0000

 On Thu, Dec 02, 2004 at 02:23:29PM +0300, Maxim Konovalov wrote:
 > And what is the desired behaviour?  Loading the rest of the rules
 > might be dangerous as well.   There are "ipfw -n" and "ipfw set",
 > and check'n'load approach will solve the problem.
 
 I'm not sure - dropping to single-user would have been something.  In my
 case the machine was up with all services running and only half a
 ruleset loaded, which is not ideal.
 
 Perhaps the rules could be passed through "ipfw -n" before they are
 loaded for real.
 
 Ceri
 -- 
 Only two things are infinite, the universe and human stupidity, and I'm
 not sure about the former.			  -- Einstein (attrib.)

From: Matteo Riondato <rionda@gufi.org>
To: freebsd-gnats-submit@freebsd.org
Cc: Ceri Davies <ceri@submonkey.net>
Subject: Re: conf/74610: Hostname resolution failure causes firewall rules to stop loading
Date: Tue, 29 Mar 2005 17:15:12 +0200

 --nljfjKcp9HDtPSOP
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 According to rcorder -s nostart /etc/rc.d/* , named is started after
 ipfw rules have been loaded and IMHO, this is right and good.
 I think you should rely on /etc/hosts to have a hostname translated to
 an IP address at this point of the boot process. Perhaps this should be
 documented (where? ipfw(8) ? ) but then this would become a
 documentation related problem.
 Best Regards
 
 --=20
 Rionda aka Matteo Riondato
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)
 
 --nljfjKcp9HDtPSOP
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFCSXEA2Mp4pR7Fa+wRAvCsAJ41Ttq1WAc7UtAxDlKPeDXeiIC2gACgqxA/
 TahZ2/ODGg1W+zMZP6pkAbA=
 =eil5
 -----END PGP SIGNATURE-----
 
 --nljfjKcp9HDtPSOP--
>Unformatted:
