From owner-freebsd-questions@FreeBSD.ORG Mon Nov 15 13:29:53 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A3BD1065675 for ; Mon, 15 Nov 2010 13:29:53 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id AC7938FC18 for ; Mon, 15 Nov 2010 13:29:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id oAFDTnlp031266; Tue, 16 Nov 2010 00:29:50 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 16 Nov 2010 00:29:49 +1100 (EST) From: Ian Smith To: Grant Peel In-Reply-To: <20101115111955.438801065754@hub.freebsd.org> Message-ID: <20101115230721.T39988@sola.nimnet.asn.au> References: <20101115111955.438801065754@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: IPFW at startup. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Nov 2010 13:29:53 -0000 In freebsd-questions Digest, Vol 337, Issue 1, Message: 15 On Sun, 14 Nov 2010 17:50:47 -0500 "Grant Peel" wrote: > > I seem to have one server that does not flush the /etc/rc.firewall rules > when the script taken from "firewall_type" starts up. That is to say when I > boot the machine, 3 rules seem to be still in the list when I do an ipfw -a > list. Those three rules appear to be from the /etc.rc.firewall script. The > rules from my /etc/ipfw.rules file DO get loaded. > > Here are the three rules (100, 200, and 300), from /etc/rc.firewall. > > setup_loopback () { > ############ > # Only in rare cases do you want to change these rules > # > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > Here is my /etc/rc,conf setup: > > firewall_enable="YES" > firewall_logging="YES" > firewall_type="/etc/ipfw.rules" > > Here is my /etc/ipfw.rules: > > enterprise# more /etc/ipfw.rules > # Loopback > add 00001 allow ip from any to any via lo0 > # Office and Home Ok, looking through your /etc/rc.firewall you should find: ############ # Flush out the list before we begin. # ${fwcmd} -f flush setup_loopback which installs those rules straight after the flush. Browsing bits of http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall shows the last version that does NOT run setup_loopback in ALL cases is RELENG_6. Anyway, apart from the fact that rules 200 and 300 are worth having, all you need to do to remove those rules is to make your first rule: -f flush I'll refrain from comment on your ruleset, except that: > add 65535 deny ip from any to any you can't actually override the default rule, which is either 'deny' or 'allow' according to the value of net.inet.ip.fw.default_to_accept which depends on a kernel build option, so you might use say 65000 to be sure. > Oddly enough, I have several machies that are setup identicly and this is > the only one that has stikky rules from /etc/rc.firewall. > > Any one have any idea what knob might have been turned that causes the > sticky startup rules? If those systems are >= 7.0, maybe they have an older /etc/rc.firewall? cheers, Ian