Didn't truly experience the problem myself - as there was no activity on my
DMZ immediately after upgrading - and the fix came out so fast.
I did however notice that the firewall log got filled up with DNS requests
from my WAN-address (static IP w. NAT). Guess that must've been related to
the ipfilter issue?
(It's gone after upgrading to r585).
Thanks for the quick response.
...and once again; thanks for your work on the Traffic shaper part!
From: Manuel Kasper [mailto:mk at neon1 dot net]
Sent: 11. januar 2004 23:14
To: m0n0wall dash announce at lists dot m0n0 dot ch
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Fixed pb24 available
pb24r585, which fixes a bug related to the import of ipfilter
3.4.33pre2 into m0n0wall that manifested itself in problems with the
DNS forwarder when at least one optional interface was enabled, has
*** EVERYBODY WHO ALREADY RUNS pb24r584 IS STRONGLY URGED TO UPGRADE!
The problem was due to ipfilter 3.4.33pre2 aborting processing of the
ruleset when a duplicate rule was encountered, instead of just skipping
it and continuing as before. Even with the filter rule generator fixed
not to generate any duplicate default rules anymore, there is still the
possibility for a user to add duplicate rules via the webGUI (and thus
completely screwing up the ruleset). These may be hard to detect by the
webGUI code (take for example a rule with an alias that resolves to a
non-conflicting IP address when the rule is added, but the alias is
changed later on to create a duplicate rule - or simply a user-defined
rule that conflicts with an automatically generated one). As such, if
further ipfilter versions retain this behavior, they will be modified
for use in m0n0wall. As for now, we're back to ipfilter 3.4.31 (as in
pb23). I personally believe that it is very stupid to abort processing
a filter ruleset because of a problem with one single rule, and then
fail with only a part of the ruleset installed (instead of failing by
completely blocking everything).
Sorry for the inconvenience. Blame it on ipfilter. ;)
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch