Subject: kern/26692: rebooting with ipfs=YES gives a non-networking system with ipfilter 4.1.3
To: None <>
From: None <>
List: netbsd-bugs
Date: 08/17/2004 05:40:16
>Number:         26692
>Category:       kern
>Synopsis:       rebooting with ipfs=YES gives a non-networking system with ipfilter 4.1.3
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 17 08:07:00 UTC 2004
>Originator:     Arto selonen
>Release:        NetBSD-current ~20040809
NetBSD blah 2.0G NetBSD 2.0G (BLAH) #65: Thu Aug 12 20:21:03 EEST 2004  blah@blah:/obj/sys/arch/i386/compile/BLAH i386

After upgrading to ipfilter 4.1.3, using ipfs results in a non-networking system. Specifically, after setting 'ipfs=YES', and rebooting from a running state, the system comes up nicely, but seems to be blocking ALL network traffic. After another reboot from console, it reboots normally.
Rebooting again from that results again in a non-networking state. So, every second reboot needs to be done from console. By setting 'ipfs=NO' every reboot results in normally running system. This came up in kern/24969, where Darren Reed suggested that I file this as a separate PR.

Possible factor for this problem could be 'options IPFILTER_DEFAULT_BLOCK' and 'options GATEWAY', since the system is acting as a firewall/gateway.

Set ipfs=YES in /etc/rc.conf. Create a stateful rule set in /etc/ipf.conf (and only stateful traffic, ie. block all traffic with rules unless it is a new connection that should match a 'keep state' rule). Make sure the rules are loaded, and work; establish some TCP connections; reboot.

I don't have another box to test with, so I'm not sure about the minimum requirements, but I'm willing to provide any further details that may help in narrowing this down.

Set 'ipfs=NO' in /etc/rc.conf (and loose all established connections on reboots). Not that they'd remain with 'ipfs=YES', due to kern/24969