From owner-freebsd-current@FreeBSD.ORG Thu Dec 7 09:26:43 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 67E8A16A416 for ; Thu, 7 Dec 2006 09:26:43 +0000 (UTC) (envelope-from if@hetzner.co.za) Received: from mail1a.your-server.co.za (mail1a.your-server.co.za [196.7.18.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54F1843CA7 for ; Thu, 7 Dec 2006 09:25:52 +0000 (GMT) (envelope-from if@hetzner.co.za) Received: from [192.168.2.25] (helo=hetzner.co.za) by mail1a.your-server.co.za with esmtpa (Exim 4.63) (envelope-from ) id 1GsFWW-0003Qk-6M for current@freebsd.org; Thu, 07 Dec 2006 11:26:37 +0200 Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1GsFWS-0008zK-U9 for current@freebsd.org; Thu, 07 Dec 2006 11:26:32 +0200 To: current@freebsd.org From: Ian FREISLICH X-Attribution: BOFH Date: Thu, 07 Dec 2006 11:26:32 +0200 Message-Id: X-Authenticated-Sender: if@hetzner.co.za X-Virus-Scanned: Clear (ClamAV 0.88.4/2299/Thu Dec 7 09:36:50 2006) Cc: Subject: /etc/rc.firewall and setup_loopback() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 09:26:43 -0000 Hi Is there any reason that /etc/rc.firewall calls setup_loopback immediately after the flush and not at the point that it configures firewall rules for which it is responsible? Some time in the recent past it started adding these loopback rules for the "file" firewall type, which is in my opinion, an oversight. When the firewall rules are loaded verbatum from a file, I believe the maintainer of this file should be responsible for all rules and no other rules should be generated by the rc system. Ian -- Ian Freislich --- /usr/src/etc/rc.firewall.orig Tue Oct 31 13:03:08 2006 +++ /usr/src/etc/rc.firewall.orig Thu Dec 7 11:24:09 2006 @@ -109,8 +109,6 @@ # ${fwcmd} -f flush -setup_loopback - ############ # Network Address Translation. All packets are passed to natd(8) # before they encounter your remaining rules. The firewall rules @@ -144,10 +142,12 @@ # case ${firewall_type} in [Oo][Pp][Ee][Nn]) + setup_loopback ${fwcmd} add 65000 pass all from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) + setup_loopback ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. @@ -189,6 +189,7 @@ ;; [Ss][Ii][Mm][Pp][Ll][Ee]) + setup_loopback ############ # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines @@ -289,6 +290,7 @@ ;; [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) + setup_loopback # Configuration: # firewall_myservices: List of TCP ports on which this host # offers services. @@ -381,9 +383,11 @@ ;; [Cc][Ll][Oo][Ss][Ee][Dd]) + setup_loopback ${fwcmd} add 65000 deny ip from any to any ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) + setup_loopback ;; *) if [ -r "${firewall_type}" ]; then