From owner-freebsd-net@freebsd.org Tue Jun 18 12:22:49 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2754915B97A7; Tue, 18 Jun 2019 12:22:49 +0000 (UTC) (envelope-from andrnils@gmail.com) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E54F471D4D; Tue, 18 Jun 2019 12:22:47 +0000 (UTC) (envelope-from andrnils@gmail.com) Received: by mail-lj1-x236.google.com with SMTP id 16so12878990ljv.10; Tue, 18 Jun 2019 05:22:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A1oFqf5+72GTalmlLk1MKf0HNiPI8fHSB4INAHu7V/U=; b=ghN9daFMxuC0GoM2NtuzTw5muhyHParQ4rUsfFlVtVQZcBM8YatrhDQ7fIJUU9EU+v vir9sNXxpKZ+Aazqg+PygTyUDt2/XRvhQZwSEGRLQ8ygeWUhl7WKKbloYUF8BCDLLZC2 MjpyhdS0mnfqLDfXcD/7qryMLDib2TpPfPAm5RxuRfiU+dAMTuJhtVyg+9iQ4fAlvy04 odD/X4zmoUtFo4daogh8AcGIkMuBz2bjTdl10Wn1VFhlNUbidbisCGBD1eMbZ0a/Ue/p XvPpUPaH/kIyIrjxUo2FPXbplf7rkeYVzrri939oZrschB82/tK9gCiSHGE7gMsvdzGg YxYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A1oFqf5+72GTalmlLk1MKf0HNiPI8fHSB4INAHu7V/U=; b=owPiO2Iqi8OIETw7zmv31gAy0l8272alGk6tDVTfNKY8wO4Fl1yaMfFhwGRHLBb9jG svhizfbAQ7H/iauwoCQKzYXik1Xd2zYtzOS/6FVGO4+S3FgsicVzeCArQgjV7CoZrw3x +HWkSoEsk/duR7cE2jFoMiWLpmwkr7oRbz+f2YNJ9IBhTHE1vHRtUfqYMNlqQfdEn07J 8btJ5m3d2qhpsT9bSorOuOJFhRGIPp3CrXUb2QBdPCQUC+3c8uuLcKJYnmDosZI3/ynr jYGeWqn/UdX86mYH7AqocIlVg7qNpZvjwBDZNu3bv5VjClt8QdprGvCePRZqUJd1VPuT 4+Ug== X-Gm-Message-State: APjAAAXcMB0zzhmB6DTjCYxE3i5apOJMVIwVRrSa+HYKkc6pU106H+HF ybsmuoUwMiRtaNfLaPJzcdBb1u4wVuugsHtwQQBfwOu/JyA= X-Google-Smtp-Source: APXvYqxKlfOnJ12GNHJlyrd4hU4Xf75KICOLUX36v62PyrOuWqyWAEPYbIly1W7wtTK1rsH82hSPqQLqpoTQicvJBjg= X-Received: by 2002:a2e:5c6:: with SMTP id 189mr1806200ljf.22.1560860566121; Tue, 18 Jun 2019 05:22:46 -0700 (PDT) MIME-Version: 1.0 References: <9AF5DF39-9B81-4270-B25C-D089C971E924@punkt.de> <19574.1560847186@segfault.tristatelogic.com> <23816.53518.998090.665606@jerusalem.litteratus.org> In-Reply-To: <23816.53518.998090.665606@jerusalem.litteratus.org> From: Andreas Nilsson Date: Tue, 18 Jun 2019 14:22:32 +0200 Message-ID: Subject: Re: Eliminating IPv6 (?) To: Robert Huff Cc: "Ronald F. Guilmette" , FreeBSD Net , Mailinglists FreeBSD X-Rspamd-Queue-Id: E54F471D4D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ghN9daFM; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of andrnils@gmail.com designates 2a00:1450:4864:20::236 as permitted sender) smtp.mailfrom=andrnils@gmail.com X-Spamd-Result: default: False [-6.79 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[6.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; IP_SCORE(-2.85)[ip: (-9.40), ipnet: 2a00:1450::/32(-2.49), asn: 15169(-2.32), country: US(-0.06)]; NEURAL_HAM_SHORT(-0.93)[-0.927,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; SUBJECT_HAS_QUESTION(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 12:22:49 -0000 On Tue, Jun 18, 2019 at 2:16 PM Robert Huff wrote: > > Ronald F. Guilmette writes: > > > >Instead of messing with the system provided file you could > > >create a new one with only your own desired rules and then set > > >this rc.conf variable: > > > > > > firewall_script="/etc/rc.firewall" > > > > Actually, no, that's not how one is supposed to enable one's own set > > of ipfw ules. To do that, the Handbook (Sec. 30.4.1) says very clearly > > that one should do: > > > > firewall_enable="YES" > > firewall_type="path-to-my-rules-file" > > > > But I'm glad you brought it up. The funny thing is that even that > > doesn't work properly nowadays *or* like it used to in the past. > > If this is true - haven't checked personally - then it's a bug. > (And a non-trivial one, the fact you're the first to report it > notwithstanding.) > Can you please open a bug report? > > > Respectfully, > > > Robert Huff > The bug being that firewall_type is used to specify a type in the default /etc/rc.firewall file and firewall_script should be used to provide the path to ones own ipfw script, right? I have no ipv6 rules in ipfw when configuring rc.conf as: firewall_enable="YES" firewall_script="/etc/ipfw.rules". The man page for rc.conf states: firewall_script (str) This variable specifies the full path to the firewall script to run. The default is /etc/rc.firewall. firewall_type (str) Names the firewall type from the selection in /etc/rc.firewall, or the file which contains the local firewall ruleset. Valid selections from /etc/rc.firewall are: open unrestricted IP access closed all IP services disabled, except via "lo0" client basic protection for a workstation simple basic protection for a LAN. If a filename is specified, the full path must be given. Best regards Andreas