Date: Sun, 21 Sep 2014 18:52:17 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Hiroki Sato <hrs@freebsd.org>
Cc: ipfw@freebsd.org
Subject: Re: net.inet{,6}.fw.enable in /etc/rc
Message-ID: <20140921182650.X61666@sola.nimnet.asn.au>
In-Reply-To: <20140921.145812.325633000583440554.hrs@allbsd.org>
References: <20140921.145812.325633000583440554.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 21 Sep 2014 14:58:12 +0900, Hiroki Sato wrote:
> Hi,
>
> I would like your comments about the attached patch to /etc/rc.
>
> The problem I want to fix by this patch is as follows.
> net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
> kernel module is loaded or statically compiled into a kernel. And by
> default IPFW has only a "deny ip from any to any" rule if it is
> compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case,
> the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
> working as described in the patch.
>
> To fix this, the patch turns IPFW off before running rc.d scripts at
> boot time, and enables it again in rc.d/ipfw script.
>
> I think most of users use GENERIC kernel + ipfw kernel module. In
> that case, IPFW is not activated before rc.d/ipfw script regardless
> of this patch, so there is no user-visible change. This patch
> affects only a combination of a kernel with IPFW compiled and rc.d
> scripts running before rc.d/ipfw. The behavior will be almost the
> same as GENERIC kernel + ipfw kernel module's.
>
> Please let me know if I am missing something.
>
> -- Hiroki
Sounds like a very good idea .. may explain some old bootup mysteries ..
> +# Clear *.fw.enable sysctls. At boot time, some of network initialization
> +# before rc.d/ipfw script requires network communications (e.g. DHCP and
> +# IPv6 Duplicate Address Detection). When *.fw.enable=1 and "default deny"
> +# policy was applied---this can happen when IPFW is complied into the kernel
> +# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those
> +# comminucations are blocked. To prevent this, set *.fw.enable=0 before
Typo trivia: communications
> +# calling rc.d scripts. The rc.d/ipfw script set this to 1 after
> +# configuration.
> +/sbin/sysctl -q net.inet.ip.fw.enable=0
> +/sbin/sysctl -q net.inet6.ip6.fw.enable=0
These OIDs only exist on systems with ipfw loaded or in-kernel.
Use either 'sysctl -iq .. ', or add '|| true' to both of those?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140921182650.X61666>