From owner-freebsd-bugs@FreeBSD.ORG Thu Jul 15 23:10:02 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 130BB10656A7 for ; Thu, 15 Jul 2010 23:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E3B848FC18 for ; Thu, 15 Jul 2010 23:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6FNA16s099770 for ; Thu, 15 Jul 2010 23:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6FNA1E5099769; Thu, 15 Jul 2010 23:10:01 GMT (envelope-from gnats) Resent-Date: Thu, 15 Jul 2010 23:10:01 GMT Resent-Message-Id: <201007152310.o6FNA1E5099769@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "John J. Donohue" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E87011065674 for ; Thu, 15 Jul 2010 23:05:42 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id CD9798FC0A for ; Thu, 15 Jul 2010 23:05:42 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o6FN5g4U027889 for ; Thu, 15 Jul 2010 23:05:42 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o6FN5gKe027888; Thu, 15 Jul 2010 23:05:42 GMT (envelope-from nobody) Message-Id: <201007152305.o6FN5gKe027888@www.freebsd.org> Date: Thu, 15 Jul 2010 23:05:42 GMT From: "John J. Donohue" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/148656: {oip} and {iip} variables in rc.firewall script undefined in FreeBSD 7.2 and 8.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2010 23:10:02 -0000 >Number: 148656 >Category: misc >Synopsis: {oip} and {iip} variables in rc.firewall script undefined in FreeBSD 7.2 and 8.0 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jul 15 23:10:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: John J. Donohue >Release: 6.1, 7.0, 7.2, 8.0 >Organization: McAllen Public Library (City of McAllen) >Environment: FreeBSD internal-dns2.mcallen.lib.tx.us 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 ----- FreeBSD maindhcp3.mcallen.lib.tx.us 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu Feb 25 10:26:00 CST 2010 root@template.mcallen.lib.tx.us:/usr/src/sys/i386/compile/MIDDLEMAN i386 >Description: under FreeBSD versions up to 7.0, the oif, onet, omask, oip, iif, inet, imask, and iip variables were explicitly defined in the SIMPLE segment of rc.firewall, as in; # set these to your outside interface network and netmask and ip oif="xl0" onet="192.168.224.0" omask="255.255.255.0" oip="192.168.224.4" # set these to your inside interface network and netmask and ip iif="xl1" inet="192.168.240.0" imask="255.255.255.0" iip="192.168.240.1" under version 7.2 and 8.0, oif, onet, iif, and inet are defined in rc.conf; firewall_simple_oif="xl0" firewall_simple_onet="192.168.224.0/24" firewall_simple_iif="xl1" firewall_simple_inet="192.168.240.0/24" and then substituted in the SIMPLE segment of rc.firewall; # Configuration: # firewall_simple_iif: Inside network interface. # firewall_simple_inet: Inside network address. # firewall_simple_oif: Outside network interface. # firewall_simple_onet: Outside network address. ############ # set these to your outside interface network oif="$firewall_simple_oif" onet="$firewall_simple_onet" # set these to your inside interface network iif="$firewall_simple_iif" inet="$firewall_simple_inet" oip and iip are not defined, declared or extracted anywhere and substitute as a value of '0' in script statements such as ${fwcmd} add pass tcp from 192.168.240.0/24 to ${iip} 22 via ${iif} setup which upon an 'ipfw show' lists as allow tcp from 192.168.240.0/24 to 0.0.0.22 via xl1 setup ^^^^^^^^ instead of allow tcp from 192.168.240.0/24 to 192.168.240.1 dst-port 22 via xl1 setup ^^^^^^^^^^^^^^^^^^^^^^^^^ which was the original intent. >How-To-Repeat: run the default included /etc/rc.firewall script using /etc/rc.conf:firewall_type="SIMPLE" and using any active ipfw statements that include {oip} and/or {iip} variable references >Fix: MY SOLUTION: I added the following to /etc/rc.conf; firewall_simple_oip="192.168.224.4" firewall_simple_iip="192.168.240.1" and the following to the SIMPLE segment of rc.firewall; # Configuration: # firewall_simple_iif: Inside network interface. # firewall_simple_inet: Inside network address. --> # firewall_simple_iip: Inside ip address. # firewall_simple_oif: Outside network interface. # firewall_simple_onet: Outside network address. --> # firewall_simple_oip: Outside ip address. ############ # set these to your outside interface network oif="$firewall_simple_oif" onet="$firewall_simple_onet" --> oip="$firewall_simple_oip" # set these to your inside interface network iif="$firewall_simple_iif" inet="$firewall_simple_inet" --> iip="$firewall_simple_iip" >Release-Note: >Audit-Trail: >Unformatted: