After upgrade to 13.0-RELEASE ipfw locks the boxes

Discussion:

Valeri Galtsev

2021-05-23 16:36:47 UTC

Dear All,

as a lazy person, before I start rewriting all my ipfw scripts I decided to ask somebody’s else wisdom. It is possible that I missed something I have to do related to ipfw in this particular upgrade: from 12.2-RELEASE to 13.0-RELEASE

I have a bunch of boxes that I have rather similar (though not identical) ipfw scripts on, these were written a while back (around 8.x-RELEASE), and were just slightly modified on some occasions. None of previous upgrades 8 —> 9; 9 —> 10,.. 11 —> 12 led to any problems as far as ipfw is concerned. I was just rebooting the machine after kernel upgrade, and after userland upgrade and all pkg reinstallation, I was testing things as usually, no problem with ipfw.

After this upgrade: to 13.0-RELEASE, ipfw effectively locks any remote access to the box (except for ping). My first guess was I just missed relevant part in release notes (which I must confess I rarely read carefully), but I don’t find anything special related to ipfw.

I hope, someone points me too obvious “pilot error” I made. Before I start re-creating ipfw scripts, and testing every line in them as did when I was learning it when first started playing with ipfw.

Thanks in advance for all your answers.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

LuMiWa via freebsd-questions

2021-05-23 16:42:33 UTC

Permalink

On Sun, 23 May 2021 11:36:47 -0500

Post by Valeri Galtsev
Dear All,
as a lazy person, before I start rewriting all my ipfw scripts I
decided to ask somebody’s else wisdom. It is possible that I missed
from 12.2-RELEASE to 13.0-RELEASE
I have a bunch of boxes that I have rather similar (though not
identical) ipfw scripts on, these were written a while back (around
8.x-RELEASE), and were just slightly modified on some occasions. None
of previous upgrades 8 —> 9; 9 —> 10,.. 11 —> 12 led to any problems
as far as ipfw is concerned. I was just rebooting the machine after
kernel upgrade, and after userland upgrade and all pkg
reinstallation, I was testing things as usually, no problem with ipfw.
After this upgrade: to 13.0-RELEASE, ipfw effectively locks any
remote access to the box (except for ping). My first guess was I just
missed relevant part in release notes (which I must confess I rarely
read carefully), but I don’t find anything special related to ipfw.
I hope, someone points me too obvious “pilot error” I made. Before I
start re-creating ipfw scripts, and testing every line in them as did
when I was learning it when first started playing with ipfw.
Thanks in advance for all your answers.
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to

My IPFW start making problems too which I didn't have on
previous versions. I am not an expert and I just switch to PF 1 hour
ago.

--
“Thinking is difficult, that’s why most people judge.”

Carl Jung

Karl Dunn

2021-05-24 14:54:24 UTC

Permalink

On 5/23/21 11:36 AM CDT, Valeri Galtsev <***@kicp.uchicago.edu> wrote:

Dear All,

as a lazy person, before I start rewriting all my ipfw scripts I decided to ask somebody?s else wisdom. It is possible that I mi
ssed something I have to do related to ipfw in this particular upgrade: from 12.2-RELEASE to 13.0-RELEASE

I have a bunch of boxes that I have rather similar (though not identical) ipfw scripts on, these were written a while back (arou
nd 8.x-RELEASE), and were just slightly modified on some occasions. None of previous upgrades 8 ?> 9; 9 ?> 10,.. 11 ?> 12 led to
any problems as far as ipfw is concerned. I was just rebooting the machine after kernel upgrade, and after userland upgrade and
all pkg reinstallation, I was testing things as usually, no problem with ipfw.

After this upgrade: to 13.0-RELEASE, ipfw effectively locks any remote access to the box (except for ping). My first guess was I
just missed relevant part in release notes (which I must confess I rarely read carefully), but I don?t find anything special re
lated to ipfw.

I hope, someone points me too obvious ?pilot error? I made. Before I start re-creating ipfw scripts, and testing every line in t
hem as did when I was learning it when first started playing with ipfw.

Thanks in advance for all your answers.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Valeri:

A wild and unlikely guess (because ping works and nothing else does):

Interfaces name(s) have changed, e.g. what was em0 is now em1.

It might help to post relevant parts (or all) of dmesg, rc.conf and
loader.conf, and the (sanitized) ipfw rules.

I am on the digest for freebsd-auestions, so I will get your response
quicker if you copy me at ***@acm.org.

-- Karl Dunn ***@acm.org

Valeri Galtsev

2021-05-24 21:29:31 UTC

Permalink

Post by Valeri Galtsev
Dear All,
as a lazy person, before I start rewriting all my ipfw scripts I decided
to ask somebody?s else wisdom. It is possible that I mi
from 12.2-RELEASE to 13.0-RELEASE
I have a bunch of boxes that I have rather similar (though not
identical) ipfw scripts on, these were written a while back (arou
nd 8.x-RELEASE), and were just slightly modified on some occasions. None
of previous upgrades 8 ?> 9; 9 ?> 10,.. 11 ?> 12 led to
any problems as far as ipfw is concerned. I was just rebooting the
machine after kernel upgrade, and after userland upgrade and
all pkg reinstallation, I was testing things as usually, no problem
with ipfw.
After this upgrade: to 13.0-RELEASE, ipfw effectively locks any remote
access to the box (except for ping). My first guess was I
just missed relevant part in release notes (which I must confess I
rarely read carefully), but I don?t find anything special re
lated to ipfw.
I hope, someone points me too obvious ?pilot error? I made. Before I
start re-creating ipfw scripts, and testing every line in t
hem as did when I was learning it when first started playing with ipfw.
Thanks in advance for all your answers.
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Interfaces name(s) have changed, e.g. what was em0 is now em1.
It might help to post relevant parts (or all) of dmesg, rc.conf and
loader.conf, and the (sanitized) ipfw rules.
I am on the digest for freebsd-auestions, so I will get your response

Thank you, Karl!

Once I started collecting information Karl offered to look into, I had
to reboot machine(s) with ipfw enabled, and I discovered that all works
and ipfw does not lock the machine(s) off.

So, I figure my pilot error was: I did not disable ipfw for the duration
of all upgrade steps, namely:

freebsd-update upgrade -r 13.0-RELEASE

freebsd-update install

reboot

freebsd-update install

pkg update

pkg upgrade -y -f

freebsd-update install

and I discovered I'm locked off somewhere before last step (removing
unnecessary leftovers of previous system release on new system).

All is well on a bunch of systems, - on all systems I upgraded so far.

Bottom line: disable ipfw before starting upgrade; enable ipfw after ALL
STEPS of upgrade are accomplished.

Thanks a lot Karl!

Valeri

Post by Valeri Galtsev
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to

--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++