Date: Tue, 16 Nov 2010 00:29:49 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Grant Peel <gpeel@thenetnow.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW at startup. Message-ID: <20101115230721.T39988@sola.nimnet.asn.au> In-Reply-To: <20101115111955.438801065754@hub.freebsd.org> References: <20101115111955.438801065754@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 337, Issue 1, Message: 15
On Sun, 14 Nov 2010 17:50:47 -0500 "Grant Peel" <gpeel@thenetnow.com> wrote:
>
> I seem to have one server that does not flush the /etc/rc.firewall rules
> when the script taken from "firewall_type" starts up. That is to say when I
> boot the machine, 3 rules seem to be still in the list when I do an ipfw -a
> list. Those three rules appear to be from the /etc.rc.firewall script. The
> rules from my /etc/ipfw.rules file DO get loaded.
>
> Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
>
> setup_loopback () {
> ############
> # Only in rare cases do you want to change these rules
> #
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
> Here is my /etc/rc,conf setup:
>
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_type="/etc/ipfw.rules"
>
> Here is my /etc/ipfw.rules:
>
> enterprise# more /etc/ipfw.rules
> # Loopback
> add 00001 allow ip from any to any via lo0
> # Office and Home
Ok, looking through your /etc/rc.firewall you should find:
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
setup_loopback
which installs those rules straight after the flush. Browsing bits of
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall shows the last
version that does NOT run setup_loopback in ALL cases is RELENG_6.
Anyway, apart from the fact that rules 200 and 300 are worth having, all
you need to do to remove those rules is to make your first rule:
-f flush
I'll refrain from comment on your ruleset, except that:
> add 65535 deny ip from any to any
you can't actually override the default rule, which is either 'deny' or
'allow' according to the value of net.inet.ip.fw.default_to_accept which
depends on a kernel build option, so you might use say 65000 to be sure.
> Oddly enough, I have several machies that are setup identicly and this is
> the only one that has stikky rules from /etc/rc.firewall.
>
> Any one have any idea what knob might have been turned that causes the
> sticky startup rules?
If those systems are >= 7.0, maybe they have an older /etc/rc.firewall?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101115230721.T39988>