Date: Tue, 18 Jun 2019 12:26:00 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Mailinglists FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Eliminating IPv6 (?) Message-ID: <23658.1560885960@segfault.tristatelogic.com> In-Reply-To: <CAPS9%2BStc5VpbEsho8OUdAe2AT=P6ukXfA4ZThTRZWNXtpZi3BA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <CAPS9+Stc5VpbEsho8OUdAe2AT=3DP6ukXfA4ZThTRZWNXtpZi3BA@mail.gma=
il.com>
Andreas Nilsson <andrnils@gmail.com> wrote:
>I have no ipv6 rules in ipfw when configuring rc.conf as:
>
>firewall_enable=3D"YES"
>firewall_script=3D"/etc/ipfw.rules".
I don't know what to say, other than that this was not my experience.
When I first noiced that /etc/rc.firewall was injecting rules into ipfw,
prior to my own set of explicitly specified rules, I went into the
script and edited it to try to cause it to stop doing at least some
of this (unwanted) behavior. For example, please note the lines in
the following function which have been commented out:
setup_loopback() {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
# ${fwcmd} add 200 deny all from any to 127.0.0.0/8
# ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# if [ $ipv6_available -eq 0 ]; then
# ${fwcmd} add 400 deny all from any to ::1
# ${fwcmd} add 500 deny all from ::1 to any
# fi
}
Commenting out the lines shown above (as commented out) *did* make a
difference.
To be crystal clear, I found that even when I was explicitly requesting
that my own custom rule set be used, as per the instructions in the
Handbook (and as I have been doing already for lo these many years)
I found that "ipfw -a list" was showing that I was getting several
additional rules (which I personally DID NOT specify in my rules file)
and these additional rules were appearing in the output of "ipfw -a list" =
AHEAD OF my own explicitly specified rules. I traced this down and
quickly saw that these additional rules could only have come from the
(now commented out) lines shown above. After I had commented those
lines out of the /etc/rc.firewall script an rebooted the system, the
rules in question no longer were visible in the output of "ipfw -a list".
I also made one other local change to the /etc/rc.firewall script, which i=
s
illustrated by the following (locally revised) code snippet:
afexists inet6
#ipv6_available=3D$?
# disable creation of any/all IPv6 rules
ipv6_available=3D1
I can't remember anymore now if this had the desired effect or not. It
certainly didn't seem to hurt anything, at least from my personal
perspective. (But please remember, I am striving to -not- use IPv6
at all.)
Even with these multiple changes, the /etc/rc.firewall script is *still*
injecting its own "pass all from any to any via lo0" rule ahead of my
own explicitly specified rules. (See the setup_loopback() function above.=
)
I do not have any objection to that perfectly sensible rule, so I did not
comment out the specific line of /etc/rc.firewall where that is added, ahe=
ad
of all user-specified rules. But the point remains that /etc/rc.firewall
*is* injecting its own rules, even when the user has followed the Handbook=
's
prescription for how to take complete control of his/her own IPFW rule
writing.
Regards,
rfg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23658.1560885960>