Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Oct 1997 20:59:14 -0700 (PDT)
From:      studded@dal.net
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   misc/4766: Changes to rc* scripts for ipfw
Message-ID:  <199710150359.UAA28549@dalnet.webmaster.com>
Resent-Message-ID: <199710150400.VAA12506@hub.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         4766
>Category:       misc
>Synopsis:       Simple changes to make ipfw safer and easier to use
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 14 21:00:01 PDT 1997
>Last-Modified:
>Originator:     Studded
>Organization:
DALnet IRC network
>Release:        FreeBSD 2.2.5-971012-BETA i386
>Environment:

	All FreeBSD 2.2x systems.  (Note that I'm unsure about the
category.)

>Description:

	The ipfw functionality is a valuable part of FreeBSD, however
compiling it into the kernel or enabling the option in rc.conf (which
currently loads the kernel module from rc.network) can lead to a system
accidentally being closed off from the internet.  This is especially
dangerous when administering a system remotely.
	  
>How-To-Repeat:

	Load ipfw.

>Fix:
	
	The following patch (in both unified and context format because I
can never remember what y'all like :) make a few small changes to rc.conf
to make things more clear, add some safety features to rc.network and
rc.firewall so that the default firewall type is open, and makes sure that
rc.firewall is loaded if there is ipfw functionality in the kernel.  It
also makes a small change to the rc.firewall script so that the rules in
the script look like the rules you see when doing 'ipfw list.'  Finally it
makes rc.firewall and rc.network friendlier to a mistake in case for "YES"
vs. "yes."

	I realize that making the default rule "open" is a controversial
thing, however it would be trivial for someone who *wanted* a closed
system to make the firewall type "CLOSED." On the other hand, someone
compiling the ipfw option into the kernel or enabling it in rc.conf
without doing their "homework" will find themself with anything from a 
mysterious situation to a catastrophic error for someone administering a
system remotely. 

	Even if the powers that be do not accept my proposal for changing
the default rule, I'd like serious consideration for the expanded and
clarified warning messages, and the change from "pass all" to "allow ip"
in rc.firewall.  

	There is currently a discussion on this topic happening on
freebsd-stable.

Hope this helps,

Doug


Context format:

diff -cr ../etc-1014/rc.conf ./rc.conf
*** ../etc-1014/rc.conf	Sun Oct 12 13:33:28 1997
--- ./rc.conf	Tue Oct 14 18:19:56 1997
***************
*** 4,10 ****
  # This is rc.conf - a file full of useful variables that you can set 
  # to change the default startup behavior of your system.
  #
! # All arguments must be in double or single quotes.
  #
  #	$Id: rc.conf,v 1.1.2.26 1997/10/12 20:33:28 imp Exp $
  
--- 4,12 ----
  # This is rc.conf - a file full of useful variables that you can set 
  # to change the default startup behavior of your system.
  #
! # All arguments must be in double or single quotes, and are case sensitive.
! # Therefore you should use CAPITAL LETTERS for the YES/NO options.
! # "NO" is not the same as "no".
  #
  #	$Id: rc.conf,v 1.1.2.26 1997/10/12 20:33:28 imp Exp $
  
***************
*** 28,35 ****
  hostname="myname.my.domain"	# Set this!
  nisdomainname="NO"		# Set to NIS domain if using NIS (or NO).
  firewall_enable="NO"		# Set to YES to enable firewall functionality
- firewall_type="UNKNOWN"		# Firewall type (see
/etc/rc.firewall)
  firewall_quiet="NO"		# Set to YES to suppress rule display
  tcp_extensions="YES"		# Allow RFC1323 & RFC1544 extensions (or NO).
  network_interfaces="lo0"	# List of network interfaces (lo0 is loopback).
  ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.
--- 30,38 ----
  hostname="myname.my.domain"	# Set this!
  nisdomainname="NO"		# Set to NIS domain if using NIS (or NO).
  firewall_enable="NO"		# Set to YES to enable firewall functionality
  firewall_quiet="NO"		# Set to YES to suppress rule display
+ firewall_type="OPEN"		# Firewall type (see /etc/rc.firewall)
+ # "OPEN" allows all traffic to pass by default. Other options are available.
  tcp_extensions="YES"		# Allow RFC1323 & RFC1544 extensions (or NO).
  network_interfaces="lo0"	# List of network interfaces (lo0 is loopback).
  ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.
diff -cr ../etc-1014/rc.firewall ./rc.firewall
*** ../etc-1014/rc.firewall	Thu Sep 18 15:47:10 1997
--- ./rc.firewall	Tue Oct 14 19:50:42 1997
***************
*** 4,13 ****
  
  ############
  # Define the firewall type in /etc/rc.conf.  Valid values are:
! #   open     - will allow anyone in
! #   client   - will try to protect just this machine
! #   simple   - will try to protect a whole network
! #   closed   - totally disables IP services except via lo0 interface
  #   UNKNOWN  - disables the loading of firewall rules.
  #   filename - will load the rules in the given filename (full path required)
  #
--- 4,13 ----
  
  ############
  # Define the firewall type in /etc/rc.conf.  Valid values are:
! #   OPEN     - will allow anyone in
! #   CLIENT   - will try to protect just this machine
! #   SIMPLE   - will try to protect a whole network
! #   CLOSED   - totally disables IP services except via lo0 interface
  #   UNKNOWN  - disables the loading of firewall rules.
  #   filename - will load the rules in the given filename (full path required)
  #
***************
*** 39,49 ****
  
  if [ "x$1" != "x" ]; then
  	firewall_type=$1
  fi
  
  ############
  # Set quiet mode if requested
! if [ "x$firewall_quiet" = "xYES" ]; then
  	fwcmd="/sbin/ipfw -q"
  else
  	fwcmd="/sbin/ipfw"
--- 39,51 ----
  
  if [ "x$1" != "x" ]; then
  	firewall_type=$1
+ else
+ 	firewall_type=OPEN
  fi
  
  ############
  # Set quiet mode if requested
! if [ "x$firewall_quiet" = "xYES" -o "x$firewall_quiet" = "xyes" ]; then
  	fwcmd="/sbin/ipfw -q"
  else
  	fwcmd="/sbin/ipfw"
***************
*** 53,77 ****
  # Flush out the list before we begin.
  $fwcmd -f flush
  
  ############
  # If you just configured ipfw in the kernel as a tool to solve network
  # problems or you just want to disallow some particular kinds of traffic
  # they you will want to change the default policy to open.  You can also
! # do this as your only action by setting the firewall_type to ``open''.
  
! # $fwcmd add 65000 pass all from any to any
  
  ############
  # Only in rare cases do you want to change this rule
! $fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1
  
  
  # Prototype setups.
! if [ "${firewall_type}" = "open" ]; then
  
! 	$fwcmd add 65000 pass all from any to any
  
! elif [ "${firewall_type}" = "client" ]; then
  
      ############
      # This is a prototype setup that will protect your system somewhat against
--- 55,85 ----
  # Flush out the list before we begin.
  $fwcmd -f flush
  
+ # In the examples below, the words "allow" and "ip" are equivalent to
+ # "pass" and "all" as used in this file previously, and accurately reflect
+ # how ipfw will list the rules when you use ipfw list. See man ipfw(8)
+ # for more details.
+ 
  ############
  # If you just configured ipfw in the kernel as a tool to solve network
  # problems or you just want to disallow some particular kinds of traffic
  # they you will want to change the default policy to open.  You can also
! # do this as your only action by setting the firewall_type to "OPEN" in 
! # /etc/rc.conf.
  
! # $fwcmd add 65000 allow ip from any to any
  
  ############
  # Only in rare cases do you want to change this rule
! $fwcmd add 100 allow ip from 127.0.0.1 to 127.0.0.1
  
  
  # Prototype setups.
! if [ "${firewall_type}" = "OPEN" -o "${firewall_type}" = "open" ]; then
  
! 	$fwcmd add 65000 allow ip from any to any
  
! elif [ "${firewall_type}" = "CLIENT" -o "${firewall_type}" = "client" ]; then
  
      ############
      # This is a prototype setup that will protect your system somewhat against
***************
*** 84,115 ****
      ip="192.168.4.17"
  
      # Allow any traffic to or from my own net.
!     $fwcmd add pass all from ${ip} to ${net}:${mask}
!     $fwcmd add pass all from ${net}:${mask} to ${ip}
  
      # Allow TCP through if setup succeeded
!     $fwcmd add pass tcp from any to any established
  
      # Allow setup of incoming email 
!     $fwcmd add pass tcp from any to ${ip} 25 setup
  
      # Allow setup of outgoing TCP connections only
!     $fwcmd add pass tcp from ${ip} to any setup
  
      # Disallow setup of all other TCP connections
      $fwcmd add deny tcp from any to any setup
  
      # Allow DNS queries out in the world
!     $fwcmd add pass udp from any 53 to ${ip}
!     $fwcmd add pass udp from ${ip} to any 53
  
      # Allow NTP queries out in the world
!     $fwcmd add pass udp from any 123 to ${ip}
!     $fwcmd add pass udp from ${ip} to any 123
  
      # Everything else is denied as default.
  
! elif [ "${firewall_type}" = "simple" ]; then
  
      ############
      # This is a prototype setup for a simple firewall.  Configure this machine 
--- 92,125 ----
      ip="192.168.4.17"
  
      # Allow any traffic to or from my own net.
!     $fwcmd add allow ip from ${ip} to ${net}:${mask}
!     $fwcmd add allow ip from ${net}:${mask} to ${ip}
  
      # Allow TCP through if setup succeeded
!     $fwcmd add allow tcp from any to any established
  
      # Allow setup of incoming email 
!     $fwcmd add allow tcp from any to ${ip} 25 setup
  
      # Allow setup of outgoing TCP connections only
!     $fwcmd add allow tcp from ${ip} to any setup
  
      # Disallow setup of all other TCP connections
      $fwcmd add deny tcp from any to any setup
  
      # Allow DNS queries out in the world
!     # (BIND 8.1.1 and later do not use port 53 by
!     # default, but it can be configured to do so.)
!     $fwcmd add allow udp from any 53 to ${ip}
!     $fwcmd add allow udp from ${ip} to any 53
  
      # Allow NTP queries out in the world
!     $fwcmd add allow udp from any 123 to ${ip}
!     $fwcmd add allow udp from ${ip} to any 123
  
      # Everything else is denied as default.
  
! elif [ "${firewall_type}" = "SIMPLE" -o "${firewall_type}" = "simple" ]; then
  
      ############
      # This is a prototype setup for a simple firewall.  Configure this machine 
***************
*** 130,171 ****
      iip="192.168.3.17"
  
      # Stop spoofing
!     $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
!     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
  
      # Stop RFC1918 nets on the outside interface
!     $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
!     $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
!     $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
  
      # Allow TCP through if setup succeeded
!     $fwcmd add pass tcp from any to any established
  
      # Allow setup of incoming email 
!     $fwcmd add pass tcp from any to ${oip} 25 setup
  
      # Allow access to our DNS
!     $fwcmd add pass tcp from any to ${oip} 53 setup
  
      # Allow access to our WWW
!     $fwcmd add pass tcp from any to ${oip} 80 setup
  
      # Reject&Log all setup of incoming connections from the outside
      $fwcmd add deny log tcp from any to any in via ${oif} setup
  
      # Allow setup of any other TCP connection
!     $fwcmd add pass tcp from any to any setup
  
      # Allow DNS queries out in the world
!     $fwcmd add pass udp from any 53 to ${oip}
!     $fwcmd add pass udp from ${oip} to any 53
  
      # Allow NTP queries out in the world
!     $fwcmd add pass udp from any 123 to ${oip}
!     $fwcmd add pass udp from ${oip} to any 123
  
      # Everything else is denied as default.
  
! elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then
  	$fwcmd ${firewall_type}
  fi
--- 140,185 ----
      iip="192.168.3.17"
  
      # Stop spoofing
!     $fwcmd add deny ip from ${inet}:${imask} to any in via ${oif}
!     $fwcmd add deny ip from ${onet}:${omask} to any in via ${iif}
  
      # Stop RFC1918 nets on the outside interface
!     $fwcmd add deny ip from 192.168.0.0:255.255.0.0 to any via ${oif}
!     $fwcmd add deny ip from 172.16.0.0:255.240.0.0 to any via ${oif}
!     $fwcmd add deny ip from 10.0.0.0:255.0.0.0 to any via ${oif}
  
      # Allow TCP through if setup succeeded
!     $fwcmd add allow tcp from any to any established
  
      # Allow setup of incoming email 
!     $fwcmd add allow tcp from any to ${oip} 25 setup
  
      # Allow access to our DNS
!     # (BIND 8.1.1 and later do not use port 53 by
!     # default, but it can be configured to do so.)
!     $fwcmd add allow tcp from any to ${oip} 53 setup
  
      # Allow access to our WWW
!     $fwcmd add allow tcp from any to ${oip} 80 setup
  
      # Reject&Log all setup of incoming connections from the outside
      $fwcmd add deny log tcp from any to any in via ${oif} setup
  
      # Allow setup of any other TCP connection
!     $fwcmd add allow tcp from any to any setup
  
      # Allow DNS queries out in the world
!     # (BIND 8.1.1 and later do not use port 53 by
!     # default, but it can be configured to do so.)
!     $fwcmd add allow udp from any 53 to ${oip}
!     $fwcmd add allow udp from ${oip} to any 53
  
      # Allow NTP queries out in the world
!     $fwcmd add allow udp from any 123 to ${oip}
!     $fwcmd add allow udp from ${oip} to any 123
  
      # Everything else is denied as default.
  
! elif [ "${firewall_type}" != "UNKNOWN -a -r "${firewall_type}" ]; then
  	$fwcmd ${firewall_type}
  fi
diff -cr ../etc-1014/rc.network ./rc.network
*** ../etc-1014/rc.network	Thu Sep 18 15:47:12 1997
--- ./rc.network	Tue Oct 14 20:28:16 1997
***************
*** 55,88 ****
  	    ifconfig ${ifn}
      done
  
!     # Initialize IP filtering using ipfw
!     echo ""
      /sbin/ipfw -q flush > /dev/null 2>&1
!     if [ $? = 1 ] ; then
  	firewall_in_kernel=0
      else 
  	firewall_in_kernel=1
      fi
  
!     if [ $firewall_in_kernel = 0 -a "x$firewall_enable"  = "xYES" ] ; then
! 	modload /lkm/ipfw_mod.o
! 	if [ $? = 0 ]; then
! 		firewall_in_kernel=1		# module loaded successfully
! 		echo "Kernel firewall module loaded."
! 	else
! 		echo "Warning: firewall kernel module failed to load."
  	fi
      fi
  
!     # Load the filters if required
      if [ $firewall_in_kernel = 1 ]; then
! 	if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \
! 		"x$firewall_enable" = "xYES" ] ; then
! 	    . /etc/rc.firewall
! 	    echo "Firewall rules loaded."
  	else
! 	    echo "Warning: kernel has firewall functionality, but firewall rules are not enabled."
! 	    echo "         All ip services are disabled."
  	fi
      fi
  
--- 55,95 ----
  	    ifconfig ${ifn}
      done
  
!     echo "Initializing IP filtering using ipfw."
! 
      /sbin/ipfw -q flush > /dev/null 2>&1
!     if [ $? != 0 ]; then
  	firewall_in_kernel=0
      else 
  	firewall_in_kernel=1
      fi
  
!     if [ "x$firewall_enable" = "xYES" -o "x$firewall_enable" = "xyes" ]; then
! 
! 	if [ $firewall_in_kernel = 0 ]; then
! 		/sbin/modload /lkm/ipfw_mod.o
! 
! 		if [ $? = 0 ]; then
! 			firewall_in_kernel=1
! 			echo "Kernel firewall module loaded successfully."
! 		else
! echo "Warning: Firewall is enabled in /etc/rc.conf, but it is not compiled"
! echo "Warning: into the kernel, and the kernel module failed to load."
! 		fi
  	fi
      fi
  
!     # Load the filters if ipfw is in the kernel or loaded above.
! 
      if [ $firewall_in_kernel = 1 ]; then
! 	if [ -r /etc/rc.firewall ]; then
! 		. /etc/rc.firewall
! 		echo "Firewall rules loaded from /etc/rc.firewall."
  	else
! echo "Warning: Firewall functionality is enabled, but firewall rules were"
! echo "Warning: not loaded from /etc/rc.firewall."
! echo ""
! echo "Warning: *** All IP services are disabled. ***"
  	fi
      fi


Unified format:

diff -ur ../etc-1014/rc.conf ./rc.conf
--- ../etc-1014/rc.conf	Sun Oct 12 13:33:28 1997
+++ ./rc.conf	Tue Oct 14 18:19:56 1997
@@ -4,7 +4,9 @@
 # This is rc.conf - a file full of useful variables that you can set 
 # to change the default startup behavior of your system.
 #
-# All arguments must be in double or single quotes.
+# All arguments must be in double or single quotes, and are case sensitive.
+# Therefore you should use CAPITAL LETTERS for the YES/NO options.
+# "NO" is not the same as "no".
 #
 #	$Id: rc.conf,v 1.1.2.26 1997/10/12 20:33:28 imp Exp $
 
@@ -28,8 +30,9 @@
 hostname="myname.my.domain"	# Set this!
 nisdomainname="NO"		# Set to NIS domain if using NIS (or NO).
 firewall_enable="NO"		# Set to YES to enable firewall functionality
-firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display
+firewall_type="OPEN"		# Firewall type (see /etc/rc.firewall)
+# "OPEN" allows all traffic to pass by default. Other options are available.
 tcp_extensions="YES"		# Allow RFC1323 & RFC1544 extensions (or NO).
 network_interfaces="lo0"	# List of network interfaces (lo0 is loopback).
 ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.
diff -ur ../etc-1014/rc.firewall ./rc.firewall
--- ../etc-1014/rc.firewall	Thu Sep 18 15:47:10 1997
+++ ./rc.firewall	Tue Oct 14 19:50:42 1997
@@ -4,10 +4,10 @@
 
 ############
 # Define the firewall type in /etc/rc.conf.  Valid values are:
-#   open     - will allow anyone in
-#   client   - will try to protect just this machine
-#   simple   - will try to protect a whole network
-#   closed   - totally disables IP services except via lo0 interface
+#   OPEN     - will allow anyone in
+#   CLIENT   - will try to protect just this machine
+#   SIMPLE   - will try to protect a whole network
+#   CLOSED   - totally disables IP services except via lo0 interface
 #   UNKNOWN  - disables the loading of firewall rules.
 #   filename - will load the rules in the given filename (full path required)
 #
@@ -39,11 +39,13 @@
 
 if [ "x$1" != "x" ]; then
 	firewall_type=$1
+else
+	firewall_type=OPEN
 fi
 
 ############
 # Set quiet mode if requested
-if [ "x$firewall_quiet" = "xYES" ]; then
+if [ "x$firewall_quiet" = "xYES" -o "x$firewall_quiet" = "xyes" ]; then
 	fwcmd="/sbin/ipfw -q"
 else
 	fwcmd="/sbin/ipfw"
@@ -53,25 +55,31 @@
 # Flush out the list before we begin.
 $fwcmd -f flush
 
+# In the examples below, the words "allow" and "ip" are equivalent to
+# "pass" and "all" as used in this file previously, and accurately reflect
+# how ipfw will list the rules when you use ipfw list. See man ipfw(8)
+# for more details.
+
 ############
 # If you just configured ipfw in the kernel as a tool to solve network
 # problems or you just want to disallow some particular kinds of traffic
 # they you will want to change the default policy to open.  You can also
-# do this as your only action by setting the firewall_type to ``open''.
+# do this as your only action by setting the firewall_type to "OPEN" in 
+# /etc/rc.conf.
 
-# $fwcmd add 65000 pass all from any to any
+# $fwcmd add 65000 allow ip from any to any
 
 ############
 # Only in rare cases do you want to change this rule
-$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1
+$fwcmd add 100 allow ip from 127.0.0.1 to 127.0.0.1
 
 
 # Prototype setups.
-if [ "${firewall_type}" = "open" ]; then
+if [ "${firewall_type}" = "OPEN" -o "${firewall_type}" = "open" ]; then
 
-	$fwcmd add 65000 pass all from any to any
+	$fwcmd add 65000 allow ip from any to any
 
-elif [ "${firewall_type}" = "client" ]; then
+elif [ "${firewall_type}" = "CLIENT" -o "${firewall_type}" = "client" ]; then
 
     ############
     # This is a prototype setup that will protect your system somewhat against
@@ -84,32 +92,34 @@
     ip="192.168.4.17"
 
     # Allow any traffic to or from my own net.
-    $fwcmd add pass all from ${ip} to ${net}:${mask}
-    $fwcmd add pass all from ${net}:${mask} to ${ip}
+    $fwcmd add allow ip from ${ip} to ${net}:${mask}
+    $fwcmd add allow ip from ${net}:${mask} to ${ip}
 
     # Allow TCP through if setup succeeded
-    $fwcmd add pass tcp from any to any established
+    $fwcmd add allow tcp from any to any established
 
     # Allow setup of incoming email 
-    $fwcmd add pass tcp from any to ${ip} 25 setup
+    $fwcmd add allow tcp from any to ${ip} 25 setup
 
     # Allow setup of outgoing TCP connections only
-    $fwcmd add pass tcp from ${ip} to any setup
+    $fwcmd add allow tcp from ${ip} to any setup
 
     # Disallow setup of all other TCP connections
     $fwcmd add deny tcp from any to any setup
 
     # Allow DNS queries out in the world
-    $fwcmd add pass udp from any 53 to ${ip}
-    $fwcmd add pass udp from ${ip} to any 53
+    # (BIND 8.1.1 and later do not use port 53 by
+    # default, but it can be configured to do so.)
+    $fwcmd add allow udp from any 53 to ${ip}
+    $fwcmd add allow udp from ${ip} to any 53
 
     # Allow NTP queries out in the world
-    $fwcmd add pass udp from any 123 to ${ip}
-    $fwcmd add pass udp from ${ip} to any 123
+    $fwcmd add allow udp from any 123 to ${ip}
+    $fwcmd add allow udp from ${ip} to any 123
 
     # Everything else is denied as default.
 
-elif [ "${firewall_type}" = "simple" ]; then
+elif [ "${firewall_type}" = "SIMPLE" -o "${firewall_type}" = "simple" ]; then
 
     ############
     # This is a prototype setup for a simple firewall.  Configure this machine 
@@ -130,42 +140,46 @@
     iip="192.168.3.17"
 
     # Stop spoofing
-    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
-    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
+    $fwcmd add deny ip from ${inet}:${imask} to any in via ${oif}
+    $fwcmd add deny ip from ${onet}:${omask} to any in via ${iif}
 
     # Stop RFC1918 nets on the outside interface
-    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
-    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
-    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
+    $fwcmd add deny ip from 192.168.0.0:255.255.0.0 to any via ${oif}
+    $fwcmd add deny ip from 172.16.0.0:255.240.0.0 to any via ${oif}
+    $fwcmd add deny ip from 10.0.0.0:255.0.0.0 to any via ${oif}
 
     # Allow TCP through if setup succeeded
-    $fwcmd add pass tcp from any to any established
+    $fwcmd add allow tcp from any to any established
 
     # Allow setup of incoming email 
-    $fwcmd add pass tcp from any to ${oip} 25 setup
+    $fwcmd add allow tcp from any to ${oip} 25 setup
 
     # Allow access to our DNS
-    $fwcmd add pass tcp from any to ${oip} 53 setup
+    # (BIND 8.1.1 and later do not use port 53 by
+    # default, but it can be configured to do so.)
+    $fwcmd add allow tcp from any to ${oip} 53 setup
 
     # Allow access to our WWW
-    $fwcmd add pass tcp from any to ${oip} 80 setup
+    $fwcmd add allow tcp from any to ${oip} 80 setup
 
     # Reject&Log all setup of incoming connections from the outside
     $fwcmd add deny log tcp from any to any in via ${oif} setup
 
     # Allow setup of any other TCP connection
-    $fwcmd add pass tcp from any to any setup
+    $fwcmd add allow tcp from any to any setup
 
     # Allow DNS queries out in the world
-    $fwcmd add pass udp from any 53 to ${oip}
-    $fwcmd add pass udp from ${oip} to any 53
+    # (BIND 8.1.1 and later do not use port 53 by
+    # default, but it can be configured to do so.)
+    $fwcmd add allow udp from any 53 to ${oip}
+    $fwcmd add allow udp from ${oip} to any 53
 
     # Allow NTP queries out in the world
-    $fwcmd add pass udp from any 123 to ${oip}
-    $fwcmd add pass udp from ${oip} to any 123
+    $fwcmd add allow udp from any 123 to ${oip}
+    $fwcmd add allow udp from ${oip} to any 123
 
     # Everything else is denied as default.
 
-elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then
+elif [ "${firewall_type}" != "UNKNOWN -a -r "${firewall_type}" ]; then
 	$fwcmd ${firewall_type}
 fi
diff -ur ../etc-1014/rc.network ./rc.network
--- ../etc-1014/rc.network	Thu Sep 18 15:47:12 1997
+++ ./rc.network	Tue Oct 14 20:28:16 1997
@@ -55,34 +55,41 @@
 	    ifconfig ${ifn}
     done
 
-    # Initialize IP filtering using ipfw
-    echo ""
+    echo "Initializing IP filtering using ipfw."
+
     /sbin/ipfw -q flush > /dev/null 2>&1
-    if [ $? = 1 ] ; then
+    if [ $? != 0 ]; then
 	firewall_in_kernel=0
     else 
 	firewall_in_kernel=1
     fi
 
-    if [ $firewall_in_kernel = 0 -a "x$firewall_enable"  = "xYES" ] ; then
-	modload /lkm/ipfw_mod.o
-	if [ $? = 0 ]; then
-		firewall_in_kernel=1		# module loaded successfully
-		echo "Kernel firewall module loaded."
-	else
-		echo "Warning: firewall kernel module failed to load."
+    if [ "x$firewall_enable" = "xYES" -o "x$firewall_enable" = "xyes" ]; then
+
+	if [ $firewall_in_kernel = 0 ]; then
+		/sbin/modload /lkm/ipfw_mod.o
+
+		if [ $? = 0 ]; then
+			firewall_in_kernel=1
+			echo "Kernel firewall module loaded successfully."
+		else
+echo "Warning: Firewall is enabled in /etc/rc.conf, but it is not compiled"
+echo "Warning: into the kernel, and the kernel module failed to load."
+		fi
 	fi
     fi
 
-    # Load the filters if required
+    # Load the filters if ipfw is in the kernel or loaded above.
+
     if [ $firewall_in_kernel = 1 ]; then
-	if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \
-		"x$firewall_enable" = "xYES" ] ; then
-	    . /etc/rc.firewall
-	    echo "Firewall rules loaded."
+	if [ -r /etc/rc.firewall ]; then
+		. /etc/rc.firewall
+		echo "Firewall rules loaded from /etc/rc.firewall."
 	else
-	    echo "Warning: kernel has firewall functionality, but firewall rules are not enabled."
-	    echo "         All ip services are disabled."
+echo "Warning: Firewall functionality is enabled, but firewall rules were"
+echo "Warning: not loaded from /etc/rc.firewall."
+echo ""
+echo "Warning: *** All IP services are disabled. ***"
 	fi
     fi
 
  
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710150359.UAA28549>