Date: Tue, 3 Apr 2007 21:11:49 -0300 From: AT Matik <asstec@matik.com.br> To: freebsd-ipfw@freebsd.org Cc: jonw@whoweb.com, Mike Makonnen <mtm@freebsd.org> Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it Message-ID: <200704032111.50041.asstec@matik.com.br> In-Reply-To: <20070403154054.GA1468@rogue.navcom.lan> References: <200704021540.l32FerX8074400@freefall.freebsd.org> <20070 4030804.31819.asstec@matik.com.br> <20070403154054.GA1468@rogue.navcom.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 03 April 2007 12:40, Mike Makonnen wrote:
> On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote:
> > I see your point
> > but first tell me, how do you know that the rules are *successfully*
> > loaded?
>
> Sorry, I wrote that email from memory and thought that was how it operate=
d.
> However, what it does is output a warning if the last rule is to deny all
> packets (btw, is that correct? I thought ipfw operated on a "first-match"
> basis, so there could be rules before that one to allow certain packets.
> The more I look at it, the more bogus it looks to me, but I'm not
> an ipfw user so... <shrug>).
>
instead of discussing, here is my actual version of /etc/rc.d/ipfw. I inver=
ted=20
my personal choice of enabling ipfw before running the script into after. A=
t=20
the end it doesn't matter because the outcome is the same.
Also I think natd should not be run from ipfw script since there is=20
a /etc/rc.d/natd which in my opinion should have REQUIRE ipfw but not be=20
called by another rc.d script. So I do natd by it's own script only
ipfw_start () {
[ -z "${firewall_script}" ] && firewall_script=3D/etc/rc.firewall
if [ -r "${firewall_script}" ]; then
(sh - ${firewall_script})
echo -n 'firewall configured as type $firewall_type, rules=
=20
loaded'
else
echo 'ERROR: firewall script not found!'
echo 'You might have lost all Internet connections!'
fi
echo '.'
if checkyesno firewall_logging; then
if [ `sysctl -n net.inet.ip.fw.verbose` =3D "0" ]; then
${SYSCTL} net.inet.ip.fw.verbose=3D1 >/dev/null
echo 'Firewall logging enabled'
fi
fi
if [ `sysctl -n net.inet.ip.fw.enable` =3D "0" ]; then
${SYSCTL} net.inet.ip.fw.enable=3D1 >/dev/null
fi
}
Jo=E3o
> Anyways, I believe your original comment had to do with enabling the
> firewall in a precmd() subroutine. I suppose in the end it comes down to
> personal preference. It just seems "more correct" to me that the rules
> are loaded first and then the firewall is turned on, but I can see how
> someone else might disagree. I just thought
> of something else as well: Enabling the firewall and then loading the
> rules may introduce a brief window of vulnerablity where the firewall is
> enabled (default to allow) but no rules are loaded. Off course, enabling
> the firewall regardless of the outcome of the firewall script would
> probably introduce a much bigger window of vulnerability :-).
>
> In any case, since I'm not a regular ipfw user I don't feel comfortable
> making any more changes that might have unintended consequences. I'll
> leave it to someone more familiar with ipfw to comment on and commit any
> further changes.
>
> Cheers.
=2D-=20
A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704032111.50041.asstec>