Date: Wed, 15 Sep 2010 14:39:06 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Brandon Gooch <jamesbrandongooch@gmail.com> Cc: Gareth de Vaux <bsd@lordcow.org>, ipfw@freebsd.org Subject: Re: phantom rules Message-ID: <20100915134357.A73353@sola.nimnet.asn.au> In-Reply-To: <AANLkTikjBA4aBXJ1JO%2B28CkNmcbC4qYkcmueTQhPnA0J@mail.gmail.com> References: <20100909131733.GA21535@lordcow.org> <AANLkTikjBA4aBXJ1JO%2B28CkNmcbC4qYkcmueTQhPnA0J@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-427590806-1284525546=:73353
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
On Tue, 14 Sep 2010, Brandon Gooch wrote:
> On Thu, Sep 9, 2010 at 8:17 AM, Gareth de Vaux <bsd@lordcow.org> wrote:
> > Hi all, for some reason these rules get loaded on boot up before the
> > ones I specify in a file:
> >
> > 00100 0 0 allow ip from any to any via lo0
> > 00200 0 0 deny ip from any to 127.0.0.0/8
> > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > 00400 0 0 deny ip from any to ::1
> > 00500 0 0 deny ip from ::1 to any
> > 00600 0 0 allow ipv6-icmp from :: to ff02::/16
> > 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
> > 00800 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16
> > 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
> > 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
> >
> > I just flush this manually but how do I stop the behaviour properly?
> >
> > My rc.conf entries:
> >
> > firewall_enable="YES"
> > firewall_type="/usr/local/etc/firewall"
> > firewall_logging="YES"
>
> I would begin by reading:
>
> $ man 7 firewall
> $ man 5 rc.conf
> $ less /etc/rc.firewall
>
> I think the source of /etc/rc.firewall may be most enlightening in
> regard to the behavior in question (setup_loopback(),
> setup_ipv6_mandatory(), etc...).
Indeed, that's where these have come from (and Gareth, you DO want those
rules, including the ipv6_mandatory ones if running ipv6), but I suspect
that you may have rather intended this to be:
firewall_script="/usr/local/etc/firewall"
Otherwise - see /etc/defaults/rc.conf for firewall_* - you'll have set:
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
Since you are (by default) using /etc/rc.firewall as the script, if you
specify firewall_type as a file rather than one of those types directly
handled by rc.firewall, then this file is not expected to be a shell
script, but a list of ipfw commands to be directly consumed by ipfw:
ipfw [-cfnNqS] [-p preproc [preproc-flags]] pathname
t23# tail -n6 /etc/rc.firewall
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
> Have fun, and don't get discouraged (speaking from experience)
You'll have more fun if you study ipfw(8) rather than trying to learn
much from the dreadful and often just WRONG Handbook section on ipfw ..
>
> :)
>
> -Brandon
cheers, Ian
--0-427590806-1284525546=:73353--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100915134357.A73353>