From owner-freebsd-ipfw Tue Feb 19 2:11:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 7A12137B404 for ; Tue, 19 Feb 2002 02:11:50 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020219101150.ZJYR1214.rwcrmhc54.attbi.com@blossom.cjclark.org> for ; Tue, 19 Feb 2002 10:11:50 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1JABo439550 for ipfw@freebsd.org; Tue, 19 Feb 2002 02:11:50 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Feb 2002 02:11:50 -0800 From: "Crist J. Clark" To: ipfw@freebsd.org Subject: Make rc.firewall Agree with Docs and an rc.firewall6 Question Message-ID: <20020219021149.B48401@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm planning on making rc.firewall comply more closely to the literal meaning and spirit of the documentation in rc.conf(5) and in-line. The only change of note is no longer making the loopback rules unconditional. The "UNKNOWN" type documented in-line should not do _any_ configuration. When a user loads their own configuration file, rc.firewall should not uncoditionally load its loopback rules. Index: src/etc/rc.firewall =================================================================== RCS file: /export/ncvs/src/etc/rc.firewall,v retrieving revision 1.44 diff -u -r1.44 rc.firewall --- src/etc/rc.firewall 27 Dec 2001 05:40:09 -0000 1.44 +++ src/etc/rc.firewall 19 Feb 2002 09:05:50 -0000 @@ -76,6 +76,15 @@ # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_loopback () { + ############ + # Only in rare cases do you want to change these rules + # + ${fwcmd} add 100 pass all from any to any via lo0 + ${fwcmd} add 200 deny all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any +} + if [ -n "${1}" ]; then firewall_type="${1}" fi @@ -125,18 +134,12 @@ # # ${fwcmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fwcmd} add 100 pass all from any to any via lo0 -${fwcmd} add 200 deny all from any to 127.0.0.0/8 -${fwcmd} add 300 deny ip from 127.0.0.0/8 to any - # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) + setup_loopback ${fwcmd} add 65000 pass all from any to any ;; @@ -151,6 +154,8 @@ mask="255.255.255.0" ip="192.0.2.1" + setup_loopback + # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} @@ -200,6 +205,8 @@ imask="255.255.255.240" iip="192.0.2.17" + setup_loopback + # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} @@ -281,6 +288,9 @@ # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + setup_loopback + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) I was going to make the same kind of changes in the rc.firewall6 script, but I am a bit confused by one of the rules, ############ # Only in rare cases do you want to change these rules # ${fw6cmd} add 100 pass all from any to any via lo0 # # ND # # DAD ${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 # RS, RA, NS, NA, redirect... ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 I understand the first. I understand the last two (allow IPV6-ICMP from link-local unicast addresses to link-local unicast and multicast), and I understand the third (unspecified to link-local multicast). I don't understand the second. RFC2373 says, 2.5.2 The Unspecified Address The address 0:0:0:0:0:0:0:0 is called the unspecified address. ... The unspecified address must not be used as the destination address of IPv6 packets or in IPv6 Routing Headers. To my understanding, any packets matching that second rule are actually invalid. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message