From owner-freebsd-questions Sat Mar 2 8:50:39 2002 Delivered-To: freebsd-questions@freebsd.org Received: from relay04.roc.frontiernet.net (alteon01e.roc.frontiernet.net [66.133.130.235]) by hub.freebsd.org (Postfix) with SMTP id 7FEA937B400 for ; Sat, 2 Mar 2002 08:50:31 -0800 (PST) Received: (qmail 4037 invoked from network); 2 Mar 2002 16:50:20 -0000 Received: from unknown (HELO blacklamb.mykitchentable.net) ([207.173.254.93]) (envelope-sender ) by relay04.roc.frontiernet.net (qmail-ldap-1.03) with SMTP for ; 2 Mar 2002 16:50:20 -0000 Received: from tagalong (unknown [192.168.1.30]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 16416EE6F4 for ; Sat, 2 Mar 2002 08:50:19 -0800 (PST) Message-ID: <006f01c1c20a$55f84500$1e01a8c0@lc.ca.gov> From: "Drew Tomlinson" To: Subject: Firewall Script Fails on Startup Date: Sat, 2 Mar 2002 08:50:18 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Some time back, I created a firewall script called rc.firewall.current based on info I found on the web. At that time, I thought everything was working and was satisfied that it ran at startup. Yesterday, I had to reboot my box. Today I was reading the daily cron output and I found that the firewall script failed and (because of my default accept) I was wide open. Here's the relavent part of the output: > Flushed all rules. > 00100 > allow > ip > from > any > to > any > via lo0 > > 00200 > deny > ip > from > any > to > 127.0.0.0 > /8 > > 00300 > deny > ip > from > 127.0.0.0 > /8 > to > any > > ipfw: > bad arguments, for usage summary ``ipfw'' > > Firewall rules loaded, starting divert daemons: > . > Firewall logging=YES I've done some poking around but can't figure out how to determine why rc.firewall.current fails during startup, yet I can run "sh /etc/rc.firewall/current" from the command line and everything works without error. Where is this logged? I found the above stuff is in /var/log/dmesg.today so I tried adding the -v flag to /bin/sh in rc.network to see if I get some clues. However, dmesg.today doesn't change after a reboot. Must be created from periodic.daily? Anyway, here's the relevent output of rc.firewall.current when run from the prompt. On startup, it fails at rule 400. blacksheep# sh -v /etc/rc.firewall.current # Force a flush of the current firewall rules before we reload $fwcmd -f flush Flushed all rules. # Allow your loop back to work $fwcmd add allow all from any to any via lo0 00100 allow ip from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add deny log logamount 0 all from any to 127.0.0.0/8 00200 deny log ip from any to 127.0.0.0/8 # Stop spoofing of your internal network range $fwcmd add deny log logamount 0 ip from $inwr to any in via $oif 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 # Stop spoofing from inside your private ip range $fwcmd add deny log logamount 0 ip from not $inwr to any in via $iif 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 So what am I missing and where should I look to determine why this script fails on startup but is OK when invoked from the command line? I thought maybe the script needed to be mode 755 instead of 644 but rc.firewall is 644 so I don't think that's it. Help please? Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message