From owner-freebsd-stable Wed Jun 10 08:08:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA19860 for freebsd-stable-outgoing; Wed, 10 Jun 1998 08:08:50 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA19815 for ; Wed, 10 Jun 1998 08:08:31 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id IAA24216; Wed, 10 Jun 1998 08:08:13 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaamcla; Wed Jun 10 08:07:40 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.0/8.6.10) id IAA05083; Wed, 10 Jun 1998 08:05:38 -0700 (PDT) Message-Id: <199806101505.IAA05083@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdDk5070; Wed Jun 10 08:04:53 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Jeff Kletsky cc: freebsd-stable@FreeBSD.ORG Subject: Re: rc.firewall and ipfw commands In-reply-to: Your message of "Sun, 07 Jun 1998 12:54:29 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 10 Jun 1998 08:04:50 -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In my firewall configurations I modify rc.firewall to recognize a "user" firewall type (for user defined) and specify firewall_type="user" in my rc.conf. The "user" firewall type executes /usr/local/etc/rc.firewall.local instead of one of the predefined firewall types in rc.firewall. This may be a handy feature in the stock FreeBSD rc.firewall. If anyone wishes I can submit a PR to have this included in the FreeBSD distribution. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC > After building from 2.2.6-STABLE I came across a bit of a puzzle with the > apparent loss of DNS and a lot of other services on my machine. The > "problem" is that the rule numbers for the hard-wired rules in rc.firewall > have been changed: > > $fwcmd add 100 pass all from any to any via lo0 > $fwcmd add 200 deny all from any to 127.0.0.0/8 > > Now, if you are using the supplied named firewall options, you're ok. If > you are using a file containing commands, or other utilities which modify > the firewall, you could be in trouble (I happen to use the > previously-unused rule 100 to monitor what's bringing up dial-on-demand > ppp, so it is routinely deleted and added as the link changes state). > > Short-term fix: > --------------- > Leave the rules in place so the named firewall types work. > Change rc.firewall to read: > > $fwcmd -f flush # because "-f flush" fails in a file* > $fwcmd ${firewall_type} > > > Long-term fix: > -------------- > > Convince the powers that be to only add the "standard" rules for the named > firewall types. > > > > Jeff > > * Including "-f flush" as the first line of the file causes the next ipfw > command in the sequence to abort execution... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message