Date: Sat, 10 Nov 2007 15:09:45 -0500 From: Robert Huff <roberthuff@rcn.com> To: "Bob Johnson" <fbsdlists@gmail.com> Cc: freebsd-questions@freebsd.org Subject: 7.0-B2 & IPFW/IP6FW interaction Message-ID: <18230.4105.874706.301172@jerusalem.litteratus.org> In-Reply-To: <54db43990711101149k62ce4ac2m1cf797f1671ba6fa@mail.gmail.com> References: <54db43990711101149k62ce4ac2m1cf797f1671ba6fa@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bob Johnson writes: > On my test system, the IPv6 ruleset is loaded first, and then > when the IPv4 ruleset is loaded, the flush command in rc.firewall > removes all of the IPv6 rules, so I end up with default deny for > IPv6, plus all of my normal IPv4 rules. It's possible that this > interaction explains the other oddities I thought I've seen but > haven't reliably reproduced. > > I fixed it by removing the flush commands from both rc.firewall > and rc.firewall6, but I expect this broke the proper operation of > "/etc/rc.d/ipfw restart" (although I haven't actually tested > that. I just manually flush the rules if I need to restart the > firewall). There are a number of good reasons to Not Do That, which others can explain better than I. Instead let me suggest you make a copy of those scripts, then ponder this part of my rc.conf: firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_script="/etc/ipfw.master" # Use this instead of /etc/rc.firewall ipv6_firewall_enable="YES" # Set to YES to enable IPv6 firewall ipv6_firewall_type="UNKNOWN" # see /etc/rc.firewall6 ipv6_firewall_script="/etc/ipfw.v6.set" # Which script to run to # set up the IPv6 firewall ipv6_firewall_flags="" # see /etc/rc.firewall6 Robert Huff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18230.4105.874706.301172>