From owner-freebsd-ipfw  Tue Feb 19  2:11:56 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87])
	by hub.freebsd.org (Postfix) with ESMTP id 7A12137B404
	for <ipfw@freebsd.org>; Tue, 19 Feb 2002 02:11:50 -0800 (PST)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020219101150.ZJYR1214.rwcrmhc54.attbi.com@blossom.cjclark.org>
          for <ipfw@freebsd.org>; Tue, 19 Feb 2002 10:11:50 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g1JABo439550
	for ipfw@freebsd.org; Tue, 19 Feb 2002 02:11:50 -0800 (PST)
	(envelope-from cjc)
Date: Tue, 19 Feb 2002 02:11:50 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: ipfw@freebsd.org
Subject: Make rc.firewall Agree with Docs and an rc.firewall6 Question
Message-ID: <20020219021149.B48401@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

I'm planning on making rc.firewall comply more closely to the literal
meaning and spirit of the documentation in rc.conf(5) and in-line. The
only change of note is no longer making the loopback rules
unconditional. The "UNKNOWN" type documented in-line should not do
_any_ configuration. When a user loads their own configuration file,
rc.firewall should not uncoditionally load its loopback rules.

Index: src/etc/rc.firewall
===================================================================
RCS file: /export/ncvs/src/etc/rc.firewall,v
retrieving revision 1.44
diff -u -r1.44 rc.firewall
--- src/etc/rc.firewall	27 Dec 2001 05:40:09 -0000	1.44
+++ src/etc/rc.firewall	19 Feb 2002 09:05:50 -0000
@@ -76,6 +76,15 @@
 #	http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html
 #
 
+setup_loopback () {
+	############
+	# Only in rare cases do you want to change these rules
+	#
+	${fwcmd} add 100 pass all from any to any via lo0
+	${fwcmd} add 200 deny all from any to 127.0.0.0/8
+	${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+}
+
 if [ -n "${1}" ]; then
 	firewall_type="${1}"
 fi
@@ -125,18 +134,12 @@
 #
 # ${fwcmd} add 65000 pass all from any to any
 
-############
-# Only in rare cases do you want to change these rules
-#
-${fwcmd} add 100 pass all from any to any via lo0
-${fwcmd} add 200 deny all from any to 127.0.0.0/8
-${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
-
 
 # Prototype setups.
 #
 case ${firewall_type} in
 [Oo][Pp][Ee][Nn])
+	setup_loopback
 	${fwcmd} add 65000 pass all from any to any
 	;;
 
@@ -151,6 +154,8 @@
 	mask="255.255.255.0"
 	ip="192.0.2.1"
 
+	setup_loopback
+
 	# Allow any traffic to or from my own net.
 	${fwcmd} add pass all from ${ip} to ${net}:${mask}
 	${fwcmd} add pass all from ${net}:${mask} to ${ip}
@@ -200,6 +205,8 @@
 	imask="255.255.255.240"
 	iip="192.0.2.17"
 
+	setup_loopback
+
 	# Stop spoofing
 	${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
 	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
@@ -281,6 +288,9 @@
 	# config file.
 	;;
 
+[Cc][Ll][Oo][Ss][Ee][Dd])
+	setup_loopback
+	;;
 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
 	;;
 *)

I was going to make the same kind of changes in the rc.firewall6
script, but I am a bit confused by one of the rules,

############
# Only in rare cases do you want to change these rules
#
${fw6cmd} add 100 pass all from any to any via lo0
#
# ND
#
# DAD
${fw6cmd} add pass ipv6-icmp from ff02::/16 to ::
${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
# RS, RA, NS, NA, redirect...
${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16

I understand the first. I understand the last two (allow IPV6-ICMP
from link-local unicast addresses to link-local unicast and
multicast), and I understand the third (unspecified to link-local
multicast). I don't understand the second. RFC2373 says,

2.5.2 The Unspecified Address

   The address 0:0:0:0:0:0:0:0 is called the unspecified address.
   ...

   The unspecified address must not be used as the destination address
   of IPv6 packets or in IPv6 Routing Headers.

To my understanding, any packets matching that second rule are
actually invalid.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message