Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 May 2005 15:18:25 -0400
From:      Nicholas Henry <nicholas.henry@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   IPFW custom rules file not loading
Message-ID:  <ee11ef4a0505031218c9f64a5@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
FreeBSD 5.3-RELEASE #0: Fri Nov  5 04:19:18 UTC 2004

I'm a new BSD user installing the OS for the first time. Everything is
running well except the firewall. IPFW is not loading the custom rules
set I have created at startup/boot (although it does say it has but
when I ipfw list it only gives me the one default rule). I assume it
is related to this area that I received on the console:

May  3 14:25:22 babe kernel: firewall_enable: not found
May  3 14:25:22 babe kernel: ipfw2 initialized, divert disabled,
rule-based forwarding dis$
May  3 14:25:22 babe kernel: Flushed all rules.
May  3 14:25:22 babe kernel: Line 3:
May  3 14:25:22 babe kernel: bad command `ipfw'
May  3 14:25:22 babe kernel:=20
May  3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons=
:
May  3 14:25:22 babe kernel: firewall_enable: not found
May  3 14:25:22 babe kernel: .
May  3 14:25:22 babe kernel: net.inet.ip.fw.enable:
May  3 14:25:22 babe kernel: 1
May  3 14:25:22 babe kernel: ->
May  3 14:25:22 babe kernel: 1

I'm refering to the "bad command 'ipfw'" line. I'm also concerned
about the "firewall_enable" not found message.

I have included the relevant rc.conf setting and the custom rules file
(based on the ruleset from the handbook). I'm currently setting up a
firewall for this machine that is connected to a D-Link router.

My questions are: Why am I getting the bad command msg? Do I need to
be concerned about the "firewall_enabled: not found"

Any help would be much appreciated, thank you.

** start rc.conf snippet **

firewall_enable=3D"YES"          =20
firewall_script=3D"/etc/rc.firewall"=20
firewall_type=3D"/etc/ipfw.rules"
firewall_quiet=3D"NO"            =20
firewall_logging=3D"NO"         =20
firewall_flags=3D"" =20

** send rc.conf snippet **

** start ipfw.rules **

#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd=3D"ipfw -q add"
skip=3D"skipto 801"
pif=3D"fxp0"   =09#found by doing a ifconfig or netstat -nr
=09=09# public interface name of NIC

#################################################################
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#################################################################
# $cmd 005 allow all from any to any via xl0
# don't have a separate interface so won't worry about this

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0

#################################################################
# check if packet is inbound and nat address if it is
#################################################################
# $cmd 014 divert natd ip from any to any in via $pif

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to 24.153.22.67 53 out via $pif setup keep-stat=
e
$cmd 020 $skip tcp from any to 24.153.22.66 53 out via $pif setup keep-stat=
e


# Allow out access to my ISP's DHCP server for cable/DSL configurations.
# This is for the internal router
$cmd 030 $skip udp from any to 198.168.1.1 67 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
$cmd 040 $skip tcp from any to any 8989 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state

# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918=20
#private IP
#$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918=20
#private IP
#$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918=20
#private IP
#$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
#$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
#$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP=20
#auto-config
#$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for=
=20
#docs
#$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
#$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D & E=20
#multicast

# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81  in via $pif

# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from 24.153.23.66 to any 68 in via $pif keep-state
$cmd 360 allow udp from 24.153.23.67 to any 68 in via $pif keep-state

# Allow in standard www function because I have Apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 370 allow tcp from any to me 8989 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2

# Reject & Log all unauthorized incoming connections from the public Intern=
et
$cmd 400 deny log all from any to any in via $pif

# Reject & Log all unauthorized out going connections to the public Interne=
t
$cmd 450 deny log all from any to any out via $pif

# This is skipto location for outbound stateful rules
# $cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any


** end ipfw.rules **



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ee11ef4a0505031218c9f64a5>