>Number:         26692
>Category:       kern
>Synopsis:       rebooting with ipfs=YES gives a non-networking system with ipfilter 4.1.3
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 17 08:07:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Arto selonen
>Release:        NetBSD-current ~20040809
>Organization:
>Environment:
NetBSD blah 2.0G NetBSD 2.0G (BLAH) #65: Thu Aug 12 20:21:03 EEST 2004  blah@blah:/obj/sys/arch/i386/compile/BLAH i386

>Description:
After upgrading to ipfilter 4.1.3, using ipfs results in a non-networking system. Specifically, after setting 'ipfs=YES', and rebooting from a running state, the system comes up nicely, but seems to be blocking ALL network traffic. After another reboot from console, it reboots normally.
Rebooting again from that results again in a non-networking state. So, every second reboot needs to be done from console. By setting 'ipfs=NO' every reboot results in normally running system. This came up in kern/24969, where Darren Reed suggested that I file this as a separate PR.

Possible factor for this problem could be 'options IPFILTER_DEFAULT_BLOCK' and 'options GATEWAY', since the system is acting as a firewall/gateway.

>How-To-Repeat:
Set ipfs=YES in /etc/rc.conf. Create a stateful rule set in /etc/ipf.conf (and only stateful traffic, ie. block all traffic with rules unless it is a new connection that should match a 'keep state' rule). Make sure the rules are loaded, and work; establish some TCP connections; reboot.

I don't have another box to test with, so I'm not sure about the minimum requirements, but I'm willing to provide any further details that may help in narrowing this down.

>Fix:
Set 'ipfs=NO' in /etc/rc.conf (and loose all established connections on reboots). Not that they'd remain with 'ipfs=YES', due to kern/24969
>Release-Note:
>Audit-Trail:
>Unformatted: