From owner-freebsd-ipfw@freebsd.org Fri Dec 29 19:06:43 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F996EAB78A for ; Fri, 29 Dec 2017 19:06:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 259EE777B1 for ; Fri, 29 Dec 2017 19:06:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBTJ6f88095970 for ; Fri, 29 Dec 2017 19:06:43 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 167822] [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw Date: Fri, 29 Dec 2017 19:06:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 8.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dsx@bsdsx.fr X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 19:06:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D167822 Freddy DISSAUX changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dsx@bsdsx.fr --- Comment #3 from Freddy DISSAUX --- If ipfw is configured like this: /etc/rc.conf.d/ipfw/_networks 1 firewall_ipv4=3D"172.16.200.0/24 172.17.200.0/24 172.16.10.0/24 172.17.10.0/24" 2 firewall_ipv6=3D"2a01:db8:cafe:f660::/64 2a01:db8:cafe:f666::/64" /etc/rc.conf.d/ipfw/ipfw 1 firewall_enable=3D"YES" 2 firewall_type=3D"workstation" 3 firewall_myservices=3D"ssh/tcp" 4 firewall_allowservices=3D"$firewall_ipv4 $firewall_ipv6" 5 firewall_coscripts=3D"/etc/rc.conf.d/ipfw_local" /etc/rc.conf.d/ipfw/log 1 firewall_quiet=3D"NO" 2 firewall_logging=3D"YES" 3 firewall_logif=3D"YES" 4 firewall_logdeny=3D"YES" the firewall_type variable will still be set to UNKNOWN If i understand: /etc/rc.d/ipfw start - source /etc/rc.subr - call load_rc_config ipfw (firewall_* are available) - $firewall_script is set to /etc/rc.firewall (default) - call /bin/sh /etc/rc.firewall /etc/rc.firewall - test if source_rc_confs_defined (always false) - source /etc/rc.defaults/rc.conf =3D> firewall_type set to 'UNKNOWN' - source rc.subr (but not call load_rc_config !!!) - test firewall_type (UNKNOWN) =3D> fail With attached patch, ipfw is configured as expected: $ sudo ipfw list | grep 22$ 02500 allow tcp from 172.16.200.0/24 to me dst-port 22 02600 allow tcp from 172.17.200.0/24 to me dst-port 22 02700 allow tcp from 172.16.10.0/24 to me dst-port 22 02800 allow tcp from 172.17.10.0/24 to me dst-port 22 02900 allow tcp from 2a01:db8:cafe:f660::/64 to me dst-port 22 03000 allow tcp from 2a01:db8:cafe:f666::/64 to me dst-port 22 With pirzyk'patch i can force firewall_type (using my configuration): $ sudo ipfw list | wc -l 40 $ sudo service ipfw stop $ sudo service ipfw start open $ sudo ipfw list | wc -l 12 $ sudo service ipfw stop $ sudo service ipfw start $ sudo ipfw list | wc -l 40 dsx@vaio>uname -a FreeBSD vaio.bsdsx.fr 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul= 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GEN= ERIC amd64 dsx@vaio>freebsd-version 11.1-RELEASE-p6 --=20 You are receiving this mail because: You are the assignee for the bug.=