From owner-freebsd-questions@FreeBSD.ORG Mon Nov 15 18:13:55 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 562BA1065670 for ; Mon, 15 Nov 2010 18:13:55 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forward2.mail.yandex.net (forward2.mail.yandex.net [77.88.46.7]) by mx1.freebsd.org (Postfix) with ESMTP id C28378FC15 for ; Mon, 15 Nov 2010 18:13:54 +0000 (UTC) Received: from smtp1.mail.yandex.net (smtp1.mail.yandex.net [77.88.46.101]) by forward2.mail.yandex.net (Yandex) with ESMTP id F40A238A8B60; Mon, 15 Nov 2010 21:13:52 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1289844833; bh=11pfTCd/3qiOCGnMjp/Qj/yNCkFZRiybv78GuByPGoI=; h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding; b=YJQcdDBsn2HlpYGF9tzKWleF4P8o3YjnNdbVx0oDbiyFWA0SXHPiHkhEDfKQoxL/1 ly2us8bTNZfqNuUCrZRkioipZJV9WO2CwCISFXXOgLPxyOHaN+eWvsR859+KTCcd5J KQW/lRJjk8K4reCYGhEpi1uY6oULKzKRcILE3xJ4= Received: from kes.in (unknown [77.93.42.18]) by smtp1.mail.yandex.net (Yandex) with ESMTPA id 87F00290060; Mon, 15 Nov 2010 21:13:52 +0300 (MSK) Date: Mon, 15 Nov 2010 20:13:56 +0200 From: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= X-Mailer: The Bat! (v4.0.24) Professional Organization: =?utf-8?B?0KfQnyDQmtC+0L3RjNC60L7QsiwgRnJlZUxpbmU=?= X-Priority: 3 (Normal) Message-ID: <1864126465.20101115201356@yandex.ru> To: "Grant Peel" In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: IPFW at startup. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Nov 2010 18:13:55 -0000 Здравствуйте, Grant. Вы писали 15 ноября 2010 г., 0:50:47: GP> Hi all, GP> I seem to have one server that does not flush the /etc/rc.firewall rules GP> when the script taken from "firewall_type" starts up. That is to say when I GP> boot the machine, 3 rules seem to be still in the list when I do an ipfw -a GP> list. Those three rules appear to be from the /etc.rc.firewall script. The GP> rules from my /etc/ipfw.rules file DO get loaded. GP> Here are the three rules (100, 200, and 300), from /etc/rc.firewall. GP> setup_loopback () { GP> ############ GP> # Only in rare cases do you want to change these rules GP> # GP> ${fwcmd} add 100 pass all from any to any via lo0 GP> ${fwcmd} add 200 deny all from any to 127.0.0.0/8 GP> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any GP> Here is my /etc/rc,conf setup: GP> firewall_enable="YES" GP> firewall_logging="YES" GP> firewall_type="/etc/ipfw.rules" you need "firewall_script" variable GP> Here is my /etc/ipfw.rules: GP> enterprise# more /etc/ipfw.rules GP> # Loopback GP> add 00001 allow ip from any to any via lo0 GP> # Office and Home GP> add 00200 allow ip from xxx xxx xxx xxx xxx to any GP> add 00201 allow ip from any to xxx xxx xxx xxx GP> add 00202 allow all from xxx xxx xxx xxx to any GP> add 00203 allow all from any to xxx xxx xxx xxx GP> # Allow fxp0 out GP> add 00204 allow all from any to any out GP> # Allow local net GP> add 02000 allow ip from any to any via fxp1 GP> # email GP> add 04000 allow all from xxx xxx xxx xxx to any GP> add 04010 allow all from any to xxx xxx xxx xxx GP> add 04020 allow all from xxx xxx xxx xxx to any GP> add 04030 allow all from any to xxx xxx xxx xxx GP> add 04040 allow tcp from any to any 25,587 GP> add 04050 allow tcp from any 25,587 to any GP> # Bruteblock GP> add 08000 deny ip from table(1) to me GP> add 08001 deny ip from me to table(1) GP> add 09050 allow udp from any to any 53 in GP> # Email Test GP> add 09100 allow icmp from any to any icmptypes GP> 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 GP> add 65535 deny ip from any to any GP> Oddly enough, I have several machies that are setup identicly and this is GP> the only one that has stikky rules from /etc/rc.firewall. GP> Any one have any idea what knob might have been turned that causes the GP> sticky startup rules? GP> -Grant GP> _______________________________________________ GP> freebsd-questions@freebsd.org mailing list GP> http://lists.freebsd.org/mailman/listinfo/freebsd-questions GP> To unsubscribe, send any mail to GP> "freebsd-questions-unsubscribe@freebsd.org" -- С уважением, Коньков mailto:kes-kes@yandex.ru