Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used. First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again. Notice that using screen (from the port tree) is a viable workaround, when no console access is possible. 4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3. Fix: As said above, use /usr/ports/misc/screen. Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 1.54.2.3), but so simple that it should not be difficult to adapt it to newer revisions): 4031c4031,4032 < fprintf(stderr, "command is %s\n", av[0]); --- > if (!do_quiet) > fprintf(stderr, "command is %s\n", av[0]); You will need to specify -q *before* -p. (This again would not too be difficult to fix). How-To-Repeat: (Be sure either to have console access or to schedule a reboot before you begin). Put the following line in /etc/rc.conf: firewall_flags="-q -p /usr/bin/somepreprocessor" Login remotely and issue "sh /etc/rc.firewall".
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw Over to maintainer(s).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>