> On Dec 25, 2025, at 10:30 AM, Adrian Chadd <[email protected]> wrote:
>
> On Thu, 25 Dec 2025 at 10:09, FreeBSD User <[email protected]> wrote:
>>
>> On Thu, 25 Dec 2025 18:30:45 +0100 (CET)
>> Ronald Klop <[email protected]> wrote:
>>
>>> Do you use bpf or tap in your ipfw rules?
>>> A panic with that was mentioned on the 20th. And fixed in the mean time of I
>>> remember correctly. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291854
>>> Regards,Ronald
>>
>> Indeed, all boxes in question do have a tap0 at least defined -but in only
>> one
>> case used.
>
> glebius@ did a bunch of bpf cleanup/refactoring in preparation for other work
> and there was some fallout.
>
> If you update to today's -HEAD and it's still broken then please file a bug
> and
> poke him about it so he can address it!
I'm still hitting the panic with a slightly older world, but a current kernel
(so it dies before I can install new world). I'll try rebuilding again, but my
last "git pull" didn't look like it touched anything ipfw related.
If the fix is to disable ipfw entirely until the new world is installed that's
also an option (it's a VM, I can snapshot it), but I'd like to hear if others
are hitting this. Sometimes the vm gets to the point of bootup and even lets
me ssh in, but still panics shortly after. I can get the panic data if need be,
but it would need to be captured from the virtual console (so would be an
image, there's no easy copy/paste).
I do *not* have a tap0 defined. My entire ruleset is below (and because it's
all tables based, I don't need to edit out private netblocks, yay.
I have already poked glebius, but you know, biggest holiday of the year and
all...I'm offering a datapoint for others. I don't start any jails on this
machine by default, but it is my poudriere machine.
-Dan
00100 79965 31249091 allow tcp from any to any established
00200 0 0 allow ip from any to any via lo0
00300 0 0 allow ip from any to any via lo1
00400 0 0 deny ip from any to 127.0.0.0/8 in
00500 0 0 deny ip from any to ::/64 in
00600 2 80 deny ip from table(bogons) to me in // unexpected sources
00700 0 0 deny ip from table(blocked) to me in // emergency
(non-persistent) blocklist
00800 0 0 allow udp from me to any 33434-33600 // traceroute in
00900 0 0 allow udp from any to me 33434-33600 // traceroute out
01000 6517 488290 allow icmp from any to any icmptypes 0,3,8,11,13,14 //
safe ICMPv4
01100 0 0 allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD
01200 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP
01300 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP
01400 0 0 allow ipv6-icmp from any to any icmp6types
1,2,3,128,129,135,136 // safe ICMPv6
01500 0 0 check-state :default // permit stateful traffic
01600 961 57660 allow tcp from table(nrpe_clients) to me 5666 in setup //
NRPE agent requests
01700 2587 150268 allow tcp from any to me 80,443 in setup // HTTP(s)
requests
01800 121 7260 allow tcp from table(ssh_clients) to me 22 in setup //
inbound SSH
01900 1 60 allow tcp from me to table(syslog_collectors) 1999 out
setup // syslog-ng TCP outbound
02000 5026 381976 allow ip from me to table(ntp_servers) 123 keep-state
:default // NTP outbound
02100 20 9644 allow udp from me to table(krb5_servers) 88 out keep-state
:default // Kerberos outbound
02200 0 0 allow udp from me to table(krb5_servers) 464 out
keep-state :default // kpasswd outbound
02300 0 0 allow tcp from me to table(krb5_servers) 464 out
keep-state :default // kpasswd outbound
02400 574 49195 allow ip from me to any 53 keep-state :default // DNS
outbound
02500 4 240 allow tcp from me to any out setup // default outbound
02600 0 0 deny ip from any to 224.0.0.0/4 // drop multicast
02700 8743 423405 reset log ip from any to any
65535 0 0 count ip from any to any not // orphaned dynamic states
counter
65535 0 0 allow ip from any to any
r
