# No network without open firewall. What am I missing?



## fredBSD (Mar 18, 2009)

I'm stumped. I'm obviously missing something obvious, so I need your help.

A headless PC running FreeBSD-6.4 gets its RFC1918 IP by dhcp from a Vigor 2820 router. It can only be pinged or connected to if the following lines exist in /etc/rc.conf:

firewall_enable="YES"
firewall_type="open"

Without those lines it's completely dead to the world and remains dead if I enable pf with the most open rules I can come up with:


```
pass in quick on lo0 all
pass out quick on lo0 all

pass in log from any to any
pass out log from any to any
```
ifconfig shows it has the usual IP and is up and active, but I rather think it's using details from an old lease rather than getting a new one.

In fact, I've just discovered that without the two firewall_ lines I can't even ping 127.0.0.1 which has to be a major clue, but I'm tired and just can't get my head around it at the moment...

Thanks in advance.


----------



## anomie (Mar 18, 2009)

fredBSD said:
			
		

> firewall_enable="YES"
> firewall_type="open"
> 
> Without those lines it's completely dead to the world and remains dead if I enable pf with the most open rules I can come up with...



Note that the firewall_* directives refer to ipfw (not pf). It sounds like you're loading ipfw.ko (which has a default deny rule) and then when you remove your "open" ruleset you force it to fall back to its deny rule. 

To confirm this: 

`# kldstat | grep ipfw`

`# ipfw list`


----------



## fredBSD (Mar 18, 2009)

Thanks anomie, it was enough for me to realise what I had done. With the two ipfw lines in rc.conf:

# kldstat | grep ipfw
returned nothing!

Two other network interfaces were previously used as a dummynet bridge. I had compiled ipfw into the kernel to get it working and, as you said, without the "open" ruleset it was denying everything.

Luckily the kernel in /boot/kernel.old/ was generic and it's now in use and my sanity is restored


----------

