Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 May 2005 23:59:15 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Nicholas Henry <nicholas.henry@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFW custom rules file not loading
Message-ID:  <20050503205915.GA16309@gothmog.gr>
In-Reply-To: <ee11ef4a0505031218c9f64a5@mail.gmail.com>
References:  <ee11ef4a0505031218c9f64a5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2005-05-03 15:18, Nicholas Henry <nicholas.henry@gmail.com> wrote:
> May  3 14:25:22 babe kernel: firewall_enable: not found
> May  3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$
> May  3 14:25:22 babe kernel: Flushed all rules.
> May  3 14:25:22 babe kernel: Line 3:
> May  3 14:25:22 babe kernel: bad command `ipfw'
> May  3 14:25:22 babe kernel:
> May  3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons:
> May  3 14:25:22 babe kernel: firewall_enable: not found
> May  3 14:25:22 babe kernel: .
> May  3 14:25:22 babe kernel: net.inet.ip.fw.enable:
> May  3 14:25:22 babe kernel: 1
> May  3 14:25:22 babe kernel: ->
> May  3 14:25:22 babe kernel: 1
>
> I'm refering to the "bad command 'ipfw'" line. I'm also concerned
> about the "firewall_enable" not found message.

It's normal.  You're using firewall_type and yet you have written a
firewall _script_ in /etc/ipfw.rules.

> ** start rc.conf snippet **
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> firewall_quiet="NO"
> firewall_logging="NO"
> firewall_flags=""
> ** send rc.conf snippet **

Your firewall_type points to a pathname, so the file should contain
rules in the form:

	check-state
	add allow tcp from any to any 80 keep-state
	add block ip from any to any

> ** start ipfw.rules **
>
> #!/bin/sh
> # Flush out the list before we begin.
> ipfw -q -f flush
>
> # Set rules command prefix
> cmd="ipfw -q add"
> skip="skipto 801"
> pif="fxp0"   	#found by doing a ifconfig or netstat -nr
> 		# public interface name of NIC

Your ipfw.rules file is written in the form of a firewall_script.
The difference between the two is small but important.

A firewall_type file contains just a set of rules that ipfw(8) will
parse, without intervention by a shell.

A firewall_script is executed by the /bin/sh shell, as a normal shell
script.  One example of what can be used as a firewall_script is
/etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD
5.X or later).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050503205915.GA16309>