From owner-freebsd-questions@FreeBSD.ORG Mon Nov 15 08:44:58 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE00F1065674 for ; Mon, 15 Nov 2010 08:44:58 +0000 (UTC) (envelope-from wojtek@tensor.gdynia.pl) Received: from tensor.gdynia.pl (tensor.gdynia.pl [89.206.35.72]) by mx1.freebsd.org (Postfix) with ESMTP id 4B39F8FC13 for ; Mon, 15 Nov 2010 08:44:57 +0000 (UTC) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by tensor.gdynia.pl (8.14.4/8.14.4) with ESMTP id oAF8iu2F034010; Mon, 15 Nov 2010 09:44:56 +0100 (CET) (envelope-from wojtek@tensor.gdynia.pl) Received: from localhost (wojtek@localhost) by tensor.gdynia.pl (8.14.4/8.14.4/Submit) with ESMTP id oAF8iull034007; Mon, 15 Nov 2010 09:44:56 +0100 (CET) (envelope-from wojtek@tensor.gdynia.pl) Date: Mon, 15 Nov 2010 09:44:56 +0100 (CET) From: Wojciech Puchar To: Grant Peel In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-questions@freebsd.org Subject: Re: IPFW at startup. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Nov 2010 08:44:58 -0000 simply edit /etc/rc.d/ipfw and make it doing only what you want. On Sun, 14 Nov 2010, Grant Peel wrote: > Hi all, > > I seem to have one server that does not flush the /etc/rc.firewall rules when > the script taken from "firewall_type" starts up. That is to say when I boot > the machine, 3 rules seem to be still in the list when I do an ipfw -a list. > Those three rules appear to be from the /etc.rc.firewall script. The rules > from my /etc/ipfw.rules file DO get loaded. > > Here are the three rules (100, 200, and 300), from /etc/rc.firewall. > > setup_loopback () { > ############ > # Only in rare cases do you want to change these rules > # > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > Here is my /etc/rc,conf setup: > > firewall_enable="YES" > firewall_logging="YES" > firewall_type="/etc/ipfw.rules" > > Here is my /etc/ipfw.rules: > > enterprise# more /etc/ipfw.rules > # Loopback > add 00001 allow ip from any to any via lo0 > # Office and Home > add 00200 allow ip from xxx xxx xxx xxx xxx to any > add 00201 allow ip from any to xxx xxx xxx xxx > add 00202 allow all from xxx xxx xxx xxx to any > add 00203 allow all from any to xxx xxx xxx xxx > # Allow fxp0 out > add 00204 allow all from any to any out > # Allow local net > add 02000 allow ip from any to any via fxp1 > # email > add 04000 allow all from xxx xxx xxx xxx to any > add 04010 allow all from any to xxx xxx xxx xxx > add 04020 allow all from xxx xxx xxx xxx to any > add 04030 allow all from any to xxx xxx xxx xxx > add 04040 allow tcp from any to any 25,587 > add 04050 allow tcp from any 25,587 to any > # Bruteblock > add 08000 deny ip from table(1) to me > add 08001 deny ip from me to table(1) > add 09050 allow udp from any to any 53 in > # Email Test > add 09100 allow icmp from any to any icmptypes > 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 > add 65535 deny ip from any to any > > Oddly enough, I have several machies that are setup identicly and this is the > only one that has stikky rules from /etc/rc.firewall. > > Any one have any idea what knob might have been turned that causes the sticky > startup rules? > > -Grant > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >