From owner-freebsd-questions@FreeBSD.ORG Sat Nov 10 20:10:06 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7102816A420 for ; Sat, 10 Nov 2007 20:10:06 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 2D83613C4D3 for ; Sat, 10 Nov 2007 20:10:05 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from mr08.lnh.mail.rcn.net ([207.172.157.28]) by smtp02.lnh.mail.rcn.net with ESMTP; 10 Nov 2007 15:09:52 -0500 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr08.lnh.mail.rcn.net (MOS 3.8.5-GA) with ESMTP id JHX08193; Sat, 10 Nov 2007 15:09:52 -0500 (EST) Received: from 209-6-22-188.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.22.188]) by smtp01.lnh.mail.rcn.net with ESMTP; 10 Nov 2007 15:08:43 -0500 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18230.4105.874706.301172@jerusalem.litteratus.org> Date: Sat, 10 Nov 2007 15:09:45 -0500 To: "Bob Johnson" In-Reply-To: <54db43990711101149k62ce4ac2m1cf797f1671ba6fa@mail.gmail.com> References: <54db43990711101149k62ce4ac2m1cf797f1671ba6fa@mail.gmail.com> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr08.lnh.mail.rcn.net) Cc: freebsd-questions@freebsd.org Subject: 7.0-B2 & IPFW/IP6FW interaction X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Nov 2007 20:10:06 -0000 Bob Johnson writes: > On my test system, the IPv6 ruleset is loaded first, and then > when the IPv4 ruleset is loaded, the flush command in rc.firewall > removes all of the IPv6 rules, so I end up with default deny for > IPv6, plus all of my normal IPv4 rules. It's possible that this > interaction explains the other oddities I thought I've seen but > haven't reliably reproduced. > > I fixed it by removing the flush commands from both rc.firewall > and rc.firewall6, but I expect this broke the proper operation of > "/etc/rc.d/ipfw restart" (although I haven't actually tested > that. I just manually flush the rules if I need to restart the > firewall). There are a number of good reasons to Not Do That, which others can explain better than I. Instead let me suggest you make a copy of those scripts, then ponder this part of my rc.conf: firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_script="/etc/ipfw.master" # Use this instead of /etc/rc.firewall ipv6_firewall_enable="YES" # Set to YES to enable IPv6 firewall ipv6_firewall_type="UNKNOWN" # see /etc/rc.firewall6 ipv6_firewall_script="/etc/ipfw.v6.set" # Which script to run to # set up the IPv6 firewall ipv6_firewall_flags="" # see /etc/rc.firewall6 Robert Huff