Re: Ipf, FreeBSD, cvsup

Fri, 22 Sep 2006 12:35:18 -0700 

Beers, James W. wrote:


I created a test server running FreeBSD 6.1 and ipfilter 4.1.11 compiled
into the kernel.  Again, an install off the 6.1 CD.  Then I played with
cvsup and refreshed the source tree.  I dutifully recompiled and
installed the kernel.  No problems noted.  Then I rebooted.  The system
rebooted and came up but I couldn't contact it with ssh.  So I made way
to the server and noticed ipfilter's ruleset was empty.  Of course, my
default stance for the firewall is BLOCKALL, so that answers why I
couldn't get to the server.  I did an ipf -V and was told that ipfilter
was runnning but that I had a user/kernel version mismatch.  The user
binaries are 4.1.11 and the kernel binaries are 4.1.13.  I've poked
around on this list, Google Groups, and Google but I can't seem to find
(or I'm missing) the instructions for fixing this problem.


Michal Mertl was probably correct that you didn't install (possibly
even build) a new world along with the new kernel. Had you done that,
your userland ipfilter utilities would have been upgraded to 4.1.13
along with the kernel. Then you would have ended up with IPFilter 4.1.13
which is included in 6-STABLE branch of FreeBSD nowadays.


For future reference, these are my "standard" steps for cvsup-based 
FreeBSD upgrades on boxes where IPFilter is not the one included in 
FreeBSD but instead downloaded and built separately (and needs to remain 
so after the upgrade). Actually I have only one such box and it's 
running FreeBSD 4.11, so the instructions probably need to be adjusted 
for FreeBSD 6, which shouldn't be difficult. I've used this procedure 
successfully several times.


Step 1.

Update the FreeBSD source code via cvsup

Step 2.

make buildworld

Step 3.

Unpack the IPFilter source code into a separate directory
(/home/build/ip_fil4.1.8)

Step 4 (probably optional).

Edit IPFilter's Makefile to enable the state top feature
(see instructions in the Makefile)

Step 5.

make freebsd4

Step 6.

make ip_rules.c
(may not be necessary with IPFilter versions newer than 4.1.8)

Step 7.

make install-bsd

Step 8.

BSD/kupgrade

Step 9.

make buildkernel, make installkernel and reboot to single user mode

Step 10.

make installworld

Step 11.


cd to /home/build/ip_fil4.1.8 and re-run 'make install-bsd'. If 
upgrading has changed the output of `uname -r` then you need to

create a corresponding symlink in /home/build/ip_fil4.1.8/BSD in
order for this step to succeed.

Step 12.

Reboot to multiuser mode and enjoy your upgraded system :)

--
Toomas Aas






















					Reply via email to