From owner-freebsd-questions@FreeBSD.ORG Tue May 3 21:07:49 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3DBA16A4CE for ; Tue, 3 May 2005 21:07:49 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0527E43D78 for ; Tue, 3 May 2005 21:07:46 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a185.otenet.gr [212.205.215.185]) j43L6FOA030633; Wed, 4 May 2005 00:06:16 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.3/8.13.3) with ESMTP id j43L7bf0066973; Wed, 4 May 2005 00:07:37 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.3/8.13.3/Submit) id j43KxGTX063648; Tue, 3 May 2005 23:59:16 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 3 May 2005 23:59:15 +0300 From: Giorgos Keramidas To: Nicholas Henry Message-ID: <20050503205915.GA16309@gothmog.gr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-questions@freebsd.org Subject: Re: IPFW custom rules file not loading X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2005 21:07:49 -0000 On 2005-05-03 15:18, Nicholas Henry wrote: > May 3 14:25:22 babe kernel: firewall_enable: not found > May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$ > May 3 14:25:22 babe kernel: Flushed all rules. > May 3 14:25:22 babe kernel: Line 3: > May 3 14:25:22 babe kernel: bad command `ipfw' > May 3 14:25:22 babe kernel: > May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: > May 3 14:25:22 babe kernel: firewall_enable: not found > May 3 14:25:22 babe kernel: . > May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: > May 3 14:25:22 babe kernel: 1 > May 3 14:25:22 babe kernel: -> > May 3 14:25:22 babe kernel: 1 > > I'm refering to the "bad command 'ipfw'" line. I'm also concerned > about the "firewall_enable" not found message. It's normal. You're using firewall_type and yet you have written a firewall _script_ in /etc/ipfw.rules. > ** start rc.conf snippet ** > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > firewall_quiet="NO" > firewall_logging="NO" > firewall_flags="" > ** send rc.conf snippet ** Your firewall_type points to a pathname, so the file should contain rules in the form: check-state add allow tcp from any to any 80 keep-state add block ip from any to any > ** start ipfw.rules ** > > #!/bin/sh > # Flush out the list before we begin. > ipfw -q -f flush > > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 801" > pif="fxp0" #found by doing a ifconfig or netstat -nr > # public interface name of NIC Your ipfw.rules file is written in the form of a firewall_script. The difference between the two is small but important. A firewall_type file contains just a set of rules that ipfw(8) will parse, without intervention by a shell. A firewall_script is executed by the /bin/sh shell, as a normal shell script. One example of what can be used as a firewall_script is /etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD 5.X or later).