Hi all,
I recently upgraded (via source) from 11-Stable to 12-Stable on my
router box (PC Engines APU). My firewall rules don't appear to work any
longer during boot. I can see on the console "Line 98: unknown interface
name igb1" when it tries to load them. The last few rules after the
error line are not loaded. Line 98 is the "nat 1 config" line.
After boot, I run "ipfw flush;service ipfw restart" and everything works
ok. It looks like the igb1 interface isn't fully available at the time
when it originally tries to load.
My relevant lines (redacted) from /etc/rc.conf, /etc/ipfw.rules, and
tail of /var/log/messages are below.
Any clues, please?
Thanks in advance,
Graham
firewall_enable="YES"
firewall_flags="-p m4 -DOUTSIDE_IF=igb1 -DLAN_IF=igb0
-DLAN_NET=X.X.X.X/25 -DWIFI_IF=igb2 -DWIFI_NET=Y.Y.Y.Y/26 -DVPN_IF=tap0
-DVPN_NET=Z.Z.Z.Z/26 -DPS4_ADDR=A.A.A.A -DIPV6_IF=gif0"
firewall_type="/etc/ipfw.rules"
# stop spoofing
add deny all from LAN_NET to any in via OUTSIDE_IF
add deny all from WIFI_NET to any in via OUTSIDE_IF
# allow anything on the LAN
add allow all from any to any via LAN_IF
# and from the VPN
add allow all from any to any via VPN_IF
# allow anything from the wireless network to the outside world (but not
to the LAN)
add allow ip from any to not LAN_NET via WIFI_IF
table all destroy
# create a table of addresses to block
table 1 create type addr
# add RFC1918 nets
table 1 add 10.0.0.0/8
table 1 add 172.16.0.0/12
table 1 add 192.168.0.0/16
# and draft-manning-dsua-03.txt nets
table 1 add 0.0.0.0/8
table 1 add 169.254.0.0/16
table 1 add 192.0.2.0/24
table 1 add 224.0.0.0/4
table 1 add 240.0.0.0/4
# stop entries in the table coming in on the outside interface
add deny all from table(1) to any in recv OUTSIDE_IF
# similarly for IPv6
table 2 create type addr
# Stop unique local unicast address on the outside interface
table 2 add fc00::/7
# Stop site-local on the outside interface
table 2 add fec0::/10
# Disallow "internal" addresses to appear on the wire.
table 2 add ::ffff:0.0.0.0/96
# Disallow packets to malicious IPv4 compatible prefix.
#table 2 add ::224.0.0.0/100 gives error
#table 2 add ::127.0.0.0/104 ditto
table 2 add ::0.0.0.0/104
#table 2 add ::255.0.0.0/104 ditto
#
table 2 add ::0.0.0.0/96
# Disallow packets to malicious 6to4 prefix.
table 2 add 2002:e000::/20
table 2 add 2002:7f00::/24
table 2 add 2002:0000::/24
table 2 add 2002:ff00::/24
#
table 2 add 2002:0a00::/24
table 2 add 2002:ac10::/28
table 2 add 2002:c0a8::/32
#
table 2 add ff05::/16
# block these addresses both incoming and outgoing
add deny all from table(2) to any via IPV6_IF
add deny all from any to table(2) via IPV6_IF
# block sshguard entries
add reset ip from table(22) to me
#########################################################
# temporarily block lots of ports from outside (remove when these rules
are fixed)
#add deny tcp from any to me 2049,5000-5999 in via OUTSIDE_IF
##########################################################
# allow IPSEC
#add allow esp from any to any
#add allow ah from any to any
#add allow ipencap from any to any
#add allow udp from any 500 to any
# allow setup of incoming SSH, IMAPS, and OpenVPN
add allow tcp from any to me ssh setup
add allow tcp from any to me6 ssh setup
add allow tcp from any to me imaps setup
add allow tcp from any to me6 imaps setup
add allow tcp from any to me openvpn setup
add allow tcp from any to me6 openvpn setup
add allow udp from any to me openvpn
# allow IPP, IMAPS, and SMTP from wireless
add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF
add allow ip from any to me dst-port ipp setup via WIFI_IF
add allow ip from any to me dst-port smtp setup via WIFI_IF
add allow ip from any to me dst-port imaps setup via WIFI_IF
# allow some ICMP types but nothing else
add allow icmp from any to any icmptypes 0,3,8,11
add deny icmp from any to any
#add allow ipv6 from any to any
# NAT
# redirect ports to PS4
nat 1 config if OUTSIDE_IF same_ports deny_in redirect_port tcp
PS4_ADDR:1935 1935 redirect_port tcp PS4_ADDR:3478 3478 redirect_port
tcp PS4_ADDR:3479 3479 redirect_port tcp PS4_ADDR:3480 3480
redirect_port udp PS4_ADDR:3074 3074 redirect_port udp PS4_ADDR:3478
3478 redirect_port udp PS4_ADDR:3479 3479
#nat 1 config if OUTSIDE_IF same_ports deny_in
add nat 1 ip4 from any to any via OUTSIDE_IF
# and block the above table again outbound
add deny all from table(1) to any out xmit OUTSIDE_IF
# allow TCP through if setup succeeded
add pass tcp from any to any established
# allow IP fragments to pass through
add pass all from any to any frag
# allow TCP ports needed for PS4
add allow tcp from any to PS4_ADDR 1935 in via OUTSIDE_IF setup
add allow tcp from any to PS4_ADDR 3478 in via OUTSIDE_IF setup
add allow tcp from any to PS4_ADDR 3479 in via OUTSIDE_IF setup
add allow tcp from any to PS4_ADDR 3480 in via OUTSIDE_IF setup
add allow udp from any to PS4_ADDR 3478 in via OUTSIDE_IF
add allow udp from any to PS4_ADDR 3479 in via OUTSIDE_IF
# allow DNS & NTP queries out to the world (and their replies back in)
add allow udp from me to any 53 keep-state
add allow udp from me to any 123 keep-state
# but no other UDP in from outside
add deny udp from any to any in via OUTSIDE_IF
# and allow any other UDP
add allow udp from any to any
# reject all setup of incoming connections from the outside
add deny tcp from any to any in via OUTSIDE_IF setup
# reject all setup of incoming connections from the IPV6 tunnel
add deny tcp from any to any in via gif0 setup
# reject all setup of incoming connections from the wireless
add deny tcp from any to any in via WIFI_IF setup
# allow setup of any other TCP connection
add pass tcp from any to any setup
# Everything else is denied by default, unless the
IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel config file.
But we add this rule anyway to allow logging.
add deny all from any to any
Mar 23 11:35:31 maxwell kernel: ---<<BOOT>>---
Mar 23 11:35:31 maxwell kernel: Copyright (c) 1992-2019 The FreeBSD Project.
Mar 23 11:35:31 maxwell kernel: Copyright (c) 1979, 1980, 1983, 1986,
1988, 1989, 1991, 1992, 1993, 1994
Mar 23 11:35:31 maxwell kernel: The Regents of the University of
California. All rights reserved.
Mar 23 11:35:31 maxwell kernel: FreeBSD is a registered trademark of The
FreeBSD Foundation.
Mar 23 11:35:31 maxwell kernel: FreeBSD 12.0-STABLE maxwell amd64
Mar 23 11:35:31 maxwell kernel: FreeBSD clang version 7.0.1
(tags/RELEASE_701/final 349250) (based on LLVM 7.0.1)
Mar 23 11:35:31 maxwell kernel: CPU: AMD GX-412TC
SOC (998.15-MHz K8-class CPU)
Mar 23 11:35:31 maxwell kernel: Origin="AuthenticAMD" Id=0x730f01
Family=0x16 Model=0x30 Stepping=1
Mar 23 11:35:31 maxwell kernel:
Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
Mar 23 11:35:31 maxwell kernel:
Features2=0x3ed8220b<SSE3,PCLMULQDQ,MON,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AESNI,XSAVE,OSXSAVE,AVX,F16C>
Mar 23 11:35:31 maxwell kernel: AMD
Features=0x2e500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM>
Mar 23 11:35:31 maxwell kernel: AMD
Features2=0x1d4037ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,SKINIT,WDT,Topology,PNXC,DBE,PTSC,PL2I>
Mar 23 11:35:31 maxwell kernel: Structured Extended Features=0x8<BMI1>
Mar 23 11:35:31 maxwell kernel: XSAVE Features=0x1<XSAVEOPT>
Mar 23 11:35:31 maxwell kernel: SVM: NP,NRIP,AFlush,DAssist,NAsids=8
Mar 23 11:35:31 maxwell kernel: TSC: P-state invariant, performance
statistics
Mar 23 11:35:31 maxwell kernel: real memory = 4815060992 (4592 MB)
Mar 23 11:35:31 maxwell kernel: avail memory = 4110790656 (3920 MB)
Mar 23 11:35:31 maxwell kernel: Event timer "LAPIC" quality 600
Mar 23 11:35:31 maxwell kernel: ACPI APIC Table: <CORE COREBOOT>
Mar 23 11:35:31 maxwell kernel: FreeBSD/SMP: Multiprocessor System
Detected: 4 CPUs
Mar 23 11:35:31 maxwell kernel: FreeBSD/SMP: 1 package(s) x 4 core(s)
Mar 23 11:35:31 maxwell kernel: random: unblocking device.
Mar 23 11:35:31 maxwell kernel: ioapic1: Changing APIC ID to 5
Mar 23 11:35:31 maxwell kernel: ioapic0 <Version 2.1> irqs 0-23 on
motherboard
Mar 23 11:35:31 maxwell kernel: ioapic1 <Version 2.1> irqs 24-55 on
motherboard
Mar 23 11:35:31 maxwell kernel: Launching APs: 2 1 3
Mar 23 11:35:31 maxwell kernel: Timecounter "TSC" frequency 998148269 Hz
quality 1000
Mar 23 11:35:31 maxwell kernel: random: entropy device external interface
Mar 23 11:35:31 maxwell kernel: 000.000022 [4212]
netmap_init netmap: loaded module
Mar 23 11:35:31 maxwell kernel: nexus0
Mar 23 11:35:31 maxwell kernel: cryptosoft0: <software crypto> on
motherboard
Mar 23 11:35:31 maxwell kernel: acpi0: <CORE COREBOOT> on motherboard
Mar 23 11:35:31 maxwell kernel: acpi0: Power Button (fixed)
Mar 23 11:35:31 maxwell kernel: cpu0: <ACPI CPU> on acpi0
Mar 23 11:35:31 maxwell kernel: atrtc0: <AT realtime clock> port
0x70-0x71 irq 8 on acpi0
Mar 23 11:35:31 maxwell kernel: atrtc0: registered as a time-of-day
clock, resolution 1.000000s
Mar 23 11:35:31 maxwell kernel: Event timer "RTC" frequency 32768 Hz
quality 0
Mar 23 11:35:31 maxwell kernel: attimer0: <AT timer> port 0x40-0x43 irq
0 on acpi0
Mar 23 11:35:31 maxwell kernel: Timecounter "i8254" frequency 1193182 Hz
quality 0
Mar 23 11:35:31 maxwell kernel: Event timer "i8254" frequency 1193182 Hz
quality 100
Mar 23 11:35:31 maxwell kernel: hpet0: <High Precision Event Timer>
iomem 0xfed00000-0xfed003ff on acpi0
Mar 23 11:35:31 maxwell kernel: Timecounter "HPET" frequency 14318180 Hz
quality 950
Mar 23 11:35:31 maxwell kernel: Timecounter "ACPI-safe" frequency
3579545 Hz quality 850
Mar 23 11:35:31 maxwell kernel: acpi_timer0: <32-bit timer at
3.579545MHz> port 0x818-0x81b on acpi0
Mar 23 11:35:31 maxwell kernel: acpi_button0: <Power Button> on acpi0
Mar 23 11:35:31 maxwell kernel: pcib0: <ACPI Host-PCI bridge> port
0xcf8-0xcff on acpi0
Mar 23 11:35:31 maxwell kernel: pci0: <ACPI PCI bus> on pcib0
Mar 23 11:35:31 maxwell kernel: pcib1: <ACPI PCI-PCI bridge> at device
2.2 on pci0
Mar 23 11:35:31 maxwell kernel: pcib1: failed to allocate initial I/O
port window: 0x1000-0x1fff
Mar 23 11:35:31 maxwell kernel: pci1: <ACPI PCI bus> on pcib1
Mar 23 11:35:31 maxwell kernel: pci1: <network, ethernet> at device 0.0
(no driver attached)
Mar 23 11:35:31 maxwell kernel: pcib2: <ACPI PCI-PCI bridge> at device
2.3 on pci0
Mar 23 11:35:31 maxwell kernel: pci2: <ACPI PCI bus> on pcib2
Mar 23 11:35:31 maxwell kernel: pci2: <network, ethernet> at device 0.0
(no driver attached)
Mar 23 11:35:31 maxwell kernel: pcib3: <ACPI PCI-PCI bridge> at device
2.4 on pci0
Mar 23 11:35:31 maxwell kernel: pci3: <ACPI PCI bus> on pcib3
Mar 23 11:35:31 maxwell kernel: pci3: <network, ethernet> at device 0.0
(no driver attached)
Mar 23 11:35:31 maxwell kernel: pci0: <encrypt/decrypt> at device 8.0
(no driver attached)
Mar 23 11:35:31 maxwell kernel: xhci0: <AMD FCH USB 3.0 controller> mem
0xfeb22000-0xfeb23fff at device 16.0 on pci0
Mar 23 11:35:31 maxwell kernel: xhci0: 32 bytes context size, 64-bit DMA
Mar 23 11:35:31 maxwell kernel: xhci0: Unable to map MSI-X table
Mar 23 11:35:31 maxwell kernel: usbus0 on xhci0
Mar 23 11:35:31 maxwell kernel: usbus0: 5.0Gbps Super Speed USB v3.0
Mar 23 11:35:31 maxwell kernel: ahci0: <AMD Hudson-2 AHCI SATA
controller> port
0x4010-0x4017,0x4020-0x4023,0x4018-0x401f,0x4024-0x4027,0x4000-0x400f
mem 0xfeb25000-0xfeb253ff at device 17.0 on pci0
Mar 23 11:35:31 maxwell kernel: ahci0: AHCI v1.30 with 2 6Gbps ports,
Port Multiplier supported with FBS
Mar 23 11:35:31 maxwell kernel: ahcich0: <AHCI channel> at channel 0 on
ahci0
Mar 23 11:35:31 maxwell kernel: ahcich1: <AHCI channel> at channel 1 on
ahci0
Mar 23 11:35:31 maxwell kernel: ehci0: <AMD FCH USB 2.0 controller> mem
0xfeb25400-0xfeb254ff at device 19.0 on pci0
Mar 23 11:35:31 maxwell kernel: usbus1: EHCI version 1.0
Mar 23 11:35:31 maxwell kernel: usbus1 on ehci0
Mar 23 11:35:31 maxwell kernel: usbus1: 480Mbps High Speed USB v2.0
Mar 23 11:35:31 maxwell kernel: isab0: <PCI-ISA bridge> at device 20.3
on pci0
Mar 23 11:35:31 maxwell kernel: isa0: <ISA bus> on isab0
Mar 23 11:35:31 maxwell kernel: pci0: <base peripheral, SD host
controller> at device 20.7 (no driver attached)
Mar 23 11:35:31 maxwell kernel: uart0: <16550 or compatible> port
0x3f8-0x3ff irq 4 flags 0x10 on acpi0
Mar 23 11:35:31 maxwell kernel: uart0: console (115200,n,8,1)
Mar 23 11:35:31 maxwell kernel: orm0: <ISA Option ROMs> at iomem
0xc0000-0xc0fff,0xef000-0xeffff pnpid ORM0000 on isa0
Mar 23 11:35:31 maxwell kernel: uart1: <16550 or compatible> at port
0x2f8 irq 3 on isa0
Mar 23 11:35:31 maxwell kernel: hwpstate0: <Cool`n'Quiet 2.0> on cpu0
Mar 23 11:35:31 maxwell kernel: Timecounters tick every 1.000 msec
Mar 23 11:35:31 maxwell kernel: ipfw2 (+ipv6) initialized, divert
loadable, nat loadable, default to deny, logging disabled
Mar 23 11:35:31 maxwell kernel: ugen0.1: <0x1022 XHCI root HUB> at usbus0
Mar 23 11:35:31 maxwell kernel: ugen1.1: <AMD EHCI root HUB> at usbus1
Mar 23 11:35:31 maxwell kernel: uhub0: <0x1022 XHCI root HUB, class 9/0,
rev 3.00/1.00, addr 1> on usbus0
Mar 23 11:35:31 maxwell kernel: uhub1: <AMD EHCI root HUB, class 9/0,
rev 2.00/1.00, addr 1> on usbus1
Mar 23 11:35:31 maxwell kernel: uhub0: 4 ports with 4 removable, self
powered
Mar 23 11:35:31 maxwell kernel: uhub1: 2 ports with 2 removable, self
powered
Mar 23 11:35:31 maxwell kernel: ugen0.2: <American Power Conversion
Back-UPS CS 350 FW:807.q5.I USB FW:q5> at usbus0
Mar 23 11:35:31 maxwell kernel: ugen1.2: <vendor 0x0438 product 0x7900>
at usbus1
Mar 23 11:35:31 maxwell kernel: uhub2 on uhub1
Mar 23 11:35:31 maxwell kernel: uhub2: <vendor 0x0438 product 0x7900,
class 9/0, rev 2.00/0.18, addr 2> on usbus1
Mar 23 11:35:31 maxwell kernel: uhub2: 4 ports with 4 removable, self
powered
Mar 23 11:35:31 maxwell kernel: ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
Mar 23 11:35:31 maxwell kernel: ada0: <SATA SSD S9FM02.9> ACS-3 ATA SATA
3.x device
Mar 23 11:35:31 maxwell kernel: ada0: Serial Number 6834076A125700012038
Mar 23 11:35:31 maxwell kernel: ada0: 600.000MB/s transfers (SATA 3.x,
UDMA6, PIO 8192bytes)
Mar 23 11:35:31 maxwell kernel: ada0: Command Queueing enabled
Mar 23 11:35:31 maxwell kernel: ada0: 15272MB (31277232 512 byte sectors)
Mar 23 11:35:31 maxwell kernel: ada1 at ahcich1 bus 0 scbus1 target 0 lun 0
Mar 23 11:35:31 maxwell kernel: ada1: <ST2000LX001-1RG174 SDM1> ACS-3
ATA SATA 3.x device
Mar 23 11:35:31 maxwell kernel: ada1: Serial Number WDZ4G592
Mar 23 11:35:31 maxwell kernel: ada1: 300.000MB/s transfers (SATA 2.x,
UDMA6, PIO 8192bytes)
Mar 23 11:35:31 maxwell kernel: ada1: Command Queueing enabled
Mar 23 11:35:31 maxwell kernel: ada1: 1907729MB (3907029168 512 byte
sectors)
Mar 23 11:35:31 maxwell kernel: Trying to mount root from
ufs:/dev/ada0p2 [rw]...
Mar 23 11:35:31 maxwell kernel: WARNING: /usr/data was not properly
dismounted
Mar 23 11:35:31 maxwell kernel: lo0: link state changed to UP
Mar 23 11:35:31 maxwell kernel: intsmb0: <AMD FCH SMBus Controller> at
device 20.0 on pci0
Mar 23 11:35:31 maxwell kernel: smbus0: <System Management Bus> on intsmb0
Mar 23 11:35:32 maxwell mountd[618]: can't change attributes for /var:
netcred already exists for given addr/mask
Mar 23 11:35:32 maxwell mountd[618]: bad exports list line '/var
-alldirs -maproot'
Mar 23 11:35:32 maxwell mountd[618]: can't change attributes for /mnt:
netcred already exists for given addr/mask
Mar 23 11:35:32 maxwell mountd[618]: bad exports list line '/mnt
-alldirs -maproot'
Mar 23 11:35:32 maxwell kernel: igb0: <Intel(R) PRO/1000 PCI-Express
Network Driver> mem 0xfe600000-0xfe61ffff,0xfe620000-0xfe623fff at
device 0.0 on pci1
Mar 23 11:35:32 maxwell kernel: igb0: Using 1024 tx descriptors and 1024
rx descriptors
Mar 23 11:35:32 maxwell kernel: igb0: Using 4 rx queues 4 tx queues
Mar 23 11:35:32 maxwell kernel: igb0: Using MSI-X interrupts with 5 vectors
Mar 23 11:35:32 maxwell kernel: igb0: Ethernet address: 00:0d:b9:42:ea:38
Mar 23 11:35:32 maxwell kernel: igb0: netmap queues/slots: TX 4/1024, RX
4/1024
Mar 23 11:35:32 maxwell kernel: igb1: <Intel(R) PRO/1000 PCI-Express
Network Driver> port 0x2000-0x201f mem
0xfe700000-0xfe71ffff,0xfe720000-0xfe723fff at device 0.0 on pci2
Mar 23 11:35:32 maxwell kernel: igb1: Using 1024 tx descriptors and 1024
rx descriptors
Mar 23 11:35:32 maxwell kernel: igb1: Using 4 rx queues 4 tx queues
Mar 23 11:35:32 maxwell kernel: igb1: Using MSI-X interrupts with 5 vectors
Mar 23 11:35:32 maxwell kernel: igb1: Ethernet address: 00:0d:b9:42:ea:39
Mar 23 11:35:33 maxwell kernel: igb1: netmap queues/slots: TX 4/1024, RX
4/1024
Mar 23 11:35:33 maxwell kernel: igb2: <Intel(R) PRO/1000 PCI-Express
Network Driver> port 0x3000-0x301f mem
0xfe800000-0xfe81ffff,0xfe820000-0xfe823fff at device 0.0 on pci3
Mar 23 11:35:33 maxwell kernel: igb2: Using 1024 tx descriptors and 1024
rx descriptors
Mar 23 11:35:33 maxwell kernel: igb2: Using 4 rx queues 4 tx queues
Mar 23 11:35:33 maxwell kernel: igb2: Using MSI-X interrupts with 5 vectors
Mar 23 11:35:33 maxwell kernel: igb2: Ethernet address: 00:0d:b9:42:ea:3a
Mar 23 11:35:33 maxwell ntpd[759]: ntpd 4.2.8p12-a (1): Starting
Mar 23 11:35:33 maxwell kernel: igb2: netmap queues/slots: TX 4/1024, RX
4/1024
Mar 23 11:35:33 maxwell kernel: Security policy loaded: MAC/ntpd (mac_ntpd)
Mar 23 11:35:34 maxwell upsmon[789]: Login on UPS [maxwell@localhost]
failed - got [ERR ACCESS-DENIED]
Mar 23 11:35:37 maxwell kernel: igb0: link state changed to UP
Mar 23 11:35:48 maxwell kernel: igb1: link state changed to UP
Mar 23 11:35:48 maxwell kernel: igb1: link state changed to DOWN
Mar 23 11:35:49 maxwell root[1698]: /etc/rc: WARNING: failed to start spamd
Mar 23 11:35:49 maxwell kernel: tun0: link state changed to UP
Mar 23 11:35:50 maxwell kernel: igb2: link state changed to UP
Mar 23 11:35:50 maxwell kernel: igb2: link state changed to DOWN
Mar 23 11:35:51 maxwell kernel: igb1: link state changed to UP
Mar 23 11:35:51 maxwell dhclient[2608]: New IP Address (igb1): X.X.X.X
Mar 23 11:35:51 maxwell dhclient[2610]: New Subnet Mask (igb1):
255.255.255.0
Mar 23 11:35:51 maxwell dhclient[2612]: New Broadcast Address (igb1):
X.X.X.255
Mar 23 11:35:51 maxwell dhclient[2614]: New Routers (igb1): X.X.X.1
Mar 23 11:35:53 maxwell kernel: igb2: link state changed to UP
_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
