Date: Fri, 29 Dec 2017 19:06:41 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 167822] [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw Message-ID: <bug-167822-7515-1uttHzOSaK@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-167822-7515@https.bugs.freebsd.org/bugzilla/> References: <bug-167822-7515@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D167822 Freddy DISSAUX <dsx@bsdsx.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dsx@bsdsx.fr --- Comment #3 from Freddy DISSAUX <dsx@bsdsx.fr> --- If ipfw is configured like this: /etc/rc.conf.d/ipfw/_networks 1 firewall_ipv4=3D"172.16.200.0/24 172.17.200.0/24 172.16.10.0/24 172.17.10.0/24" 2 firewall_ipv6=3D"2a01:db8:cafe:f660::/64 2a01:db8:cafe:f666::/64" /etc/rc.conf.d/ipfw/ipfw 1 firewall_enable=3D"YES" 2 firewall_type=3D"workstation" 3 firewall_myservices=3D"ssh/tcp" 4 firewall_allowservices=3D"$firewall_ipv4 $firewall_ipv6" 5 firewall_coscripts=3D"/etc/rc.conf.d/ipfw_local" /etc/rc.conf.d/ipfw/log 1 firewall_quiet=3D"NO" 2 firewall_logging=3D"YES" 3 firewall_logif=3D"YES" 4 firewall_logdeny=3D"YES" the firewall_type variable will still be set to UNKNOWN If i understand: /etc/rc.d/ipfw start - source /etc/rc.subr - call load_rc_config ipfw (firewall_* are available) - $firewall_script is set to /etc/rc.firewall (default) - call /bin/sh /etc/rc.firewall /etc/rc.firewall - test if source_rc_confs_defined (always false) - source /etc/rc.defaults/rc.conf =3D> firewall_type set to 'UNKNOWN' - source rc.subr (but not call load_rc_config !!!) - test firewall_type (UNKNOWN) =3D> fail With attached patch, ipfw is configured as expected: $ sudo ipfw list | grep 22$ 02500 allow tcp from 172.16.200.0/24 to me dst-port 22 02600 allow tcp from 172.17.200.0/24 to me dst-port 22 02700 allow tcp from 172.16.10.0/24 to me dst-port 22 02800 allow tcp from 172.17.10.0/24 to me dst-port 22 02900 allow tcp from 2a01:db8:cafe:f660::/64 to me dst-port 22 03000 allow tcp from 2a01:db8:cafe:f666::/64 to me dst-port 22 With pirzyk'patch i can force firewall_type (using my configuration): $ sudo ipfw list | wc -l 40 $ sudo service ipfw stop $ sudo service ipfw start open $ sudo ipfw list | wc -l 12 $ sudo service ipfw stop $ sudo service ipfw start $ sudo ipfw list | wc -l 40 dsx@vaio>uname -a FreeBSD vaio.bsdsx.fr 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul= 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GEN= ERIC amd64 dsx@vaio>freebsd-version 11.1-RELEASE-p6 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-167822-7515-1uttHzOSaK>