Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used.
First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again.
Notice that using screen (from the port tree) is a viable workaround, when no console access is possible.
4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3.
As said above, use /usr/ports/misc/screen.
Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 220.127.116.11), but so simple that it should not be difficult to adapt it to newer revisions):
< fprintf(stderr, "command is %s\n", av);
> if (!do_quiet)
> fprintf(stderr, "command is %s\n", av);
You will need to specify -q *before* -p. (This again would not too be difficult to fix).
How-To-Repeat: (Be sure either to have console access or to schedule a reboot before you begin).
Put the following line in /etc/rc.conf:
firewall_flags="-q -p /usr/bin/somepreprocessor"
Login remotely and issue "sh /etc/rc.firewall".
Over to maintainer(s).
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped