Date: Sat, 2 Mar 2002 08:50:18 -0800 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <questions@freebsd.org> Subject: Firewall Script Fails on Startup Message-ID: <006f01c1c20a$55f84500$1e01a8c0@lc.ca.gov>
next in thread | raw e-mail | index | archive | help
Some time back, I created a firewall script called rc.firewall.current
based on info I found on the web. At that time, I thought everything
was working and was satisfied that it ran at startup. Yesterday, I had
to reboot my box. Today I was reading the daily cron output and I found
that the firewall script failed and (because of my default accept) I was
wide open. Here's the relavent part of the output:
> Flushed all rules.
> 00100
> allow
> ip
> from
> any
> to
> any
> via lo0
>
> 00200
> deny
> ip
> from
> any
> to
> 127.0.0.0
> /8
>
> 00300
> deny
> ip
> from
> 127.0.0.0
> /8
> to
> any
>
> ipfw:
> bad arguments, for usage summary ``ipfw''
>
> Firewall rules loaded, starting divert daemons:
> .
> Firewall logging=YES
I've done some poking around but can't figure out how to determine why
rc.firewall.current fails during startup, yet I can run "sh
/etc/rc.firewall/current" from the command line and everything works
without error. Where is this logged? I found the above stuff is in
/var/log/dmesg.today so I tried adding the -v flag to /bin/sh in
rc.network to see if I get some clues. However, dmesg.today doesn't
change after a reboot. Must be created from periodic.daily?
Anyway, here's the relevent output of rc.firewall.current when run from
the prompt. On startup, it fails at rule 400.
blacksheep# sh -v /etc/rc.firewall.current
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
Flushed all rules.
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
00100 allow ip from any to any via lo0
# Prevent spoofing of your loopback
$fwcmd add deny log logamount 0 all from any to 127.0.0.0/8
00200 deny log ip from any to 127.0.0.0/8
# Stop spoofing of your internal network range
$fwcmd add deny log logamount 0 ip from $inwr to any in via $oif
00300 deny log ip from 192.168.1.0/24 to any in recv ed1
# Stop spoofing from inside your private ip range
$fwcmd add deny log logamount 0 ip from not $inwr to any in via
$iif
00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
So what am I missing and where should I look to determine why this
script fails on startup but is OK when invoked from the command line? I
thought maybe the script needed to be mode 755 instead of 644 but
rc.firewall is 644 so I don't think that's it. Help please?
Thanks,
Drew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006f01c1c20a$55f84500$1e01a8c0>