Re: IPFW at startup.
simply edit /etc/rc.d/ipfw and make it doing only what you want.
On Sun, 14 Nov 2010, Grant Peel wrote:
Hi all,
I seem to have one server that does not flush the /etc/rc.firewall rules when
the script taken from firewall_type starts up. That is to say when I boot
the machine, 3 rules seem to be still in the list when I do an ipfw -a list.
Those three rules appear to be from the /etc.rc.firewall script. The rules
from my /etc/ipfw.rules file DO get loaded.
Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
setup_loopback () {
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
Here is my /etc/rc,conf setup:
firewall_enable=YES
firewall_logging=YES
firewall_type=/etc/ipfw.rules
Here is my /etc/ipfw.rules:
enterprise# more /etc/ipfw.rules
# Loopback
add 1 allow ip from any to any via lo0
# Office and Home
add 00200 allow ip from xxx xxx xxx xxx xxx to any
add 00201 allow ip from any to xxx xxx xxx xxx
add 00202 allow all from xxx xxx xxx xxx to any
add 00203 allow all from any to xxx xxx xxx xxx
# Allow fxp0 out
add 00204 allow all from any to any out
# Allow local net
add 02000 allow ip from any to any via fxp1
# email
add 04000 allow all from xxx xxx xxx xxx to any
add 04010 allow all from any to xxx xxx xxx xxx
add 04020 allow all from xxx xxx xxx xxx to any
add 04030 allow all from any to xxx xxx xxx xxx
add 04040 allow tcp from any to any 25,587
add 04050 allow tcp from any 25,587 to any
# Bruteblock
add 08000 deny ip from table(1) to me
add 08001 deny ip from me to table(1)
add 09050 allow udp from any to any 53 in
# Email Test
add 09100 allow icmp from any to any icmptypes
0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
add 65535 deny ip from any to any
Oddly enough, I have several machies that are setup identicly and this is the
only one that has stikky rules from /etc/rc.firewall.
Any one have any idea what knob might have been turned that causes the sticky
startup rules?
-Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
It's not a great idea to hack the rc.d scripts, they can be clobbered when updating. Chris Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 15 Nov 2010 08:45, Wojciech Puchar woj...@tensor.gdynia.pl wrote: simply edit /etc/rc.d/ipfw and make it doing only what you want. On Sun, 14 Nov 2010, Grant Peel wrote: Hi all, I seem to have one server that does not flus... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
In freebsd-questions Digest, Vol 337, Issue 1, Message: 15
On Sun, 14 Nov 2010 17:50:47 -0500 Grant Peel gp...@thenetnow.com wrote:
I seem to have one server that does not flush the /etc/rc.firewall rules
when the script taken from firewall_type starts up. That is to say when I
boot the machine, 3 rules seem to be still in the list when I do an ipfw -a
list. Those three rules appear to be from the /etc.rc.firewall script. The
rules from my /etc/ipfw.rules file DO get loaded.
Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
setup_loopback () {
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
Here is my /etc/rc,conf setup:
firewall_enable=YES
firewall_logging=YES
firewall_type=/etc/ipfw.rules
Here is my /etc/ipfw.rules:
enterprise# more /etc/ipfw.rules
# Loopback
add 1 allow ip from any to any via lo0
# Office and Home
Ok, looking through your /etc/rc.firewall you should find:
# Flush out the list before we begin.
#
${fwcmd} -f flush
setup_loopback
which installs those rules straight after the flush. Browsing bits of
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall shows the last
version that does NOT run setup_loopback in ALL cases is RELENG_6.
Anyway, apart from the fact that rules 200 and 300 are worth having, all
you need to do to remove those rules is to make your first rule:
-f flush
I'll refrain from comment on your ruleset, except that:
add 65535 deny ip from any to any
you can't actually override the default rule, which is either 'deny' or
'allow' according to the value of net.inet.ip.fw.default_to_accept which
depends on a kernel build option, so you might use say 65000 to be sure.
Oddly enough, I have several machies that are setup identicly and this is
the only one that has stikky rules from /etc/rc.firewall.
Any one have any idea what knob might have been turned that causes the
sticky startup rules?
If those systems are = 7.0, maybe they have an older /etc/rc.firewall?
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
Здравствуйте, Grant.
Вы писали 15 ноября 2010 г., 0:50:47:
GP Hi all,
GP I seem to have one server that does not flush the /etc/rc.firewall rules
GP when the script taken from firewall_type starts up. That is to say when I
GP boot the machine, 3 rules seem to be still in the list when I do an ipfw -a
GP list. Those three rules appear to be from the /etc.rc.firewall script. The
GP rules from my /etc/ipfw.rules file DO get loaded.
GP Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
GP setup_loopback () {
GP
GP # Only in rare cases do you want to change these rules
GP #
GP ${fwcmd} add 100 pass all from any to any via lo0
GP ${fwcmd} add 200 deny all from any to 127.0.0.0/8
GP ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
GP Here is my /etc/rc,conf setup:
GP firewall_enable=YES
GP firewall_logging=YES
GP firewall_type=/etc/ipfw.rules
you need firewall_script variable
GP Here is my /etc/ipfw.rules:
GP enterprise# more /etc/ipfw.rules
GP # Loopback
GP add 1 allow ip from any to any via lo0
GP # Office and Home
GP add 00200 allow ip from xxx xxx xxx xxx xxx to any
GP add 00201 allow ip from any to xxx xxx xxx xxx
GP add 00202 allow all from xxx xxx xxx xxx to any
GP add 00203 allow all from any to xxx xxx xxx xxx
GP # Allow fxp0 out
GP add 00204 allow all from any to any out
GP # Allow local net
GP add 02000 allow ip from any to any via fxp1
GP # email
GP add 04000 allow all from xxx xxx xxx xxx to any
GP add 04010 allow all from any to xxx xxx xxx xxx
GP add 04020 allow all from xxx xxx xxx xxx to any
GP add 04030 allow all from any to xxx xxx xxx xxx
GP add 04040 allow tcp from any to any 25,587
GP add 04050 allow tcp from any 25,587 to any
GP # Bruteblock
GP add 08000 deny ip from table(1) to me
GP add 08001 deny ip from me to table(1)
GP add 09050 allow udp from any to any 53 in
GP # Email Test
GP add 09100 allow icmp from any to any icmptypes
GP 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
GP add 65535 deny ip from any to any
GP Oddly enough, I have several machies that are setup identicly and this is
GP the only one that has stikky rules from /etc/rc.firewall.
GP Any one have any idea what knob might have been turned that causes the
GP sticky startup rules?
GP -Grant
GP ___
GP freebsd-questions@freebsd.org mailing list
GP http://lists.freebsd.org/mailman/listinfo/freebsd-questions
GP To unsubscribe, send any mail to
GP freebsd-questions-unsubscr...@freebsd.org
--
С уважением,
Коньков mailto:kes-...@yandex.ru
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
I haven't seen someone use firewall_type as a path to the config file.
If you check the default rc.firewall file, you will see several types of
default firewall settings, such as open and closed. You want to set
firewall_type in rc.conf to be open or whatever your firewall type
is in /etc/rc.firewall.
You can probably get away with editing your existing rc.firewall to
include a firewall type, such as custom, then defining firewall_type
as custom in /etc/rc.conf.
Enjoy,
On 11/14/10 14:50, Grant Peel wrote:
Hi all,
I seem to have one server that does not flush the /etc/rc.firewall
rules when the script taken from firewall_type starts up. That is
to say when I boot the machine, 3 rules seem to be still in the list
when I do an ipfw -a list. Those three rules appear to be from the
/etc.rc.firewall script. The rules from my /etc/ipfw.rules file DO get
loaded.
Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
setup_loopback () {
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
Here is my /etc/rc,conf setup:
firewall_enable=YES
firewall_logging=YES
firewall_type=/etc/ipfw.rules
Here is my /etc/ipfw.rules:
enterprise# more /etc/ipfw.rules
# Loopback
add 1 allow ip from any to any via lo0
# Office and Home
add 00200 allow ip from xxx xxx xxx xxx xxx to any
add 00201 allow ip from any to xxx xxx xxx xxx
add 00202 allow all from xxx xxx xxx xxx to any
add 00203 allow all from any to xxx xxx xxx xxx
# Allow fxp0 out
add 00204 allow all from any to any out
# Allow local net
add 02000 allow ip from any to any via fxp1
# email
add 04000 allow all from xxx xxx xxx xxx to any
add 04010 allow all from any to xxx xxx xxx xxx
add 04020 allow all from xxx xxx xxx xxx to any
add 04030 allow all from any to xxx xxx xxx xxx
add 04040 allow tcp from any to any 25,587
add 04050 allow tcp from any 25,587 to any
# Bruteblock
add 08000 deny ip from table(1) to me
add 08001 deny ip from me to table(1)
add 09050 allow udp from any to any 53 in
# Email Test
add 09100 allow icmp from any to any icmptypes
0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
add 65535 deny ip from any to any
Oddly enough, I have several machies that are setup identicly and this
is the only one that has stikky rules from /etc/rc.firewall.
Any one have any idea what knob might have been turned that causes the
sticky startup rules?
-Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
--
Dave Robison
Sales Solution Architect II
FIS Banking Solutions
510/621-2089 (w)
530/518-5194 (c)
510/621-2020 (f)
da...@vicor.com
This message contains confidential and proprietary information
of the sender, and is intended only for the person(s) to whom
it is addressed. Any use, distribution, copying or disclosure
by any other person is strictly prohibited. If you have
received this message in error, please notify the e-mail sender
immediately, and delete the original message without making a
copy.
_
The information contained in this message is proprietary and/or confidential.
If you are not the intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose, distribute or use the message in any manner; and
(iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons
other than the intended recipient. Thank you.
_
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
Hi-- On Nov 15, 2010, at 10:52 AM, Dave Robison wrote: I haven't seen someone use firewall_type as a path to the config file. If you check the default rc.firewall file, you will see several types of default firewall settings, such as open and closed. You want to set firewall_type in rc.conf to be open or whatever your firewall type is in /etc/rc.firewall. If you set both of these in /etc/rc.conf: firewall_type=/etc/FW1.ipfw firewall_flags=-p cpp ...then /etc/FW1_firewall will be processed by cpp (ie, so you can use #include directives, C-style macros, etc) before going to IPFW. This is probably more obscure than useful for human-editted rulesets :-), but for automated processing and accumulating lists of bad hosts via denyhosts or similar, it can be useful Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
On Mon, Nov 15, 2010 at 10:52:41AM -0800, Dave Robison wrote: I haven't seen someone use firewall_type as a path to the config file. If you check the default rc.firewall file, you will see several types of default firewall settings, such as open and closed. You want to set firewall_type in rc.conf to be open or whatever your firewall type is in /etc/rc.firewall. What he needs to do is use firewall_script=/etc/ipfw.rules rather than firewall_type= -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
In freebsd-questions Digest, Vol 337, Issue 2, Message: 26
On Mon, 15 Nov 2010 10:52:41 -0800 Dave Robison da...@vicor.com wrote:
I haven't seen someone use firewall_type as a path to the config file.
It's not so uncommon. Anyone who's based their ruleset on the handbook
section on IPFW will likely be using this method, and Grant has used it
correctly. This is only applicable where $firewall_script is set to
'/etc/rc.firewall', but that is the default in /etc/defaults/rc.conf
If you check the default rc.firewall file, you will see several types of
default firewall settings, such as open and closed. You want to set
firewall_type in rc.conf to be open or whatever your firewall type
is in /etc/rc.firewall.
Please note the last section in rc.firewall, which specifically tests
whether $firewall_type is a readable file, and if so, passes that file
as an argument to ipfw(8) (qv).
*)
if [ -r ${firewall_type} ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
Also note that in this case, the file is not a shell script, but a set
of arguments to the ipfw command. Grant's set is in the correct format.
You can probably get away with editing your existing rc.firewall to
include a firewall type, such as custom, then defining firewall_type
as custom in /etc/rc.conf.
You could, but it's not necessary. In the olden days you more or less
had to do that, but nowadays you can specify parameters for the client,
simple and workstation types, so you can get a minimal reasonably safe
and effective firewall going, at least for starters, just using rc.conf
variables. This also means you can avoid messing with rc.firewall, so
that system updates will properly bring in any changes and additions.
The documentation for this is so far really only in /etc/rc.firewall
itself and in /etc/defaults/rc.conf .. perhaps one day $someone will
re-write the Handbook IPFW section; meanwhile ipfw(8) is definitive.
You can also start out using one of the builtin types, then save it to a
file with 'ipfw list file', then modify things it there, add comments
etc, then specify that file as firewall_type henceforth. Or, as Chuck
has shown, you can get really fancy and use some preprocessor :)
cheers, Ian
PS: Please don't top-post on FreeBSD lists, and if at all possible avoid
posting multiple disclaimers, that are in any case entirely inapplicable
to public list postings.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPFW at startup.
Hi all,
I seem to have one server that does not flush the /etc/rc.firewall rules
when the script taken from firewall_type starts up. That is to say when I
boot the machine, 3 rules seem to be still in the list when I do an ipfw -a
list. Those three rules appear to be from the /etc.rc.firewall script. The
rules from my /etc/ipfw.rules file DO get loaded.
Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
setup_loopback () {
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
Here is my /etc/rc,conf setup:
firewall_enable=YES
firewall_logging=YES
firewall_type=/etc/ipfw.rules
Here is my /etc/ipfw.rules:
enterprise# more /etc/ipfw.rules
# Loopback
add 1 allow ip from any to any via lo0
# Office and Home
add 00200 allow ip from xxx xxx xxx xxx xxx to any
add 00201 allow ip from any to xxx xxx xxx xxx
add 00202 allow all from xxx xxx xxx xxx to any
add 00203 allow all from any to xxx xxx xxx xxx
# Allow fxp0 out
add 00204 allow all from any to any out
# Allow local net
add 02000 allow ip from any to any via fxp1
# email
add 04000 allow all from xxx xxx xxx xxx to any
add 04010 allow all from any to xxx xxx xxx xxx
add 04020 allow all from xxx xxx xxx xxx to any
add 04030 allow all from any to xxx xxx xxx xxx
add 04040 allow tcp from any to any 25,587
add 04050 allow tcp from any 25,587 to any
# Bruteblock
add 08000 deny ip from table(1) to me
add 08001 deny ip from me to table(1)
add 09050 allow udp from any to any 53 in
# Email Test
add 09100 allow icmp from any to any icmptypes
0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
add 65535 deny ip from any to any
Oddly enough, I have several machies that are setup identicly and this is
the only one that has stikky rules from /etc/rc.firewall.
Any one have any idea what knob might have been turned that causes the
sticky startup rules?
-Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw+natd startup order fixing
Hi there, a few months ago I inquired about an issue where using ipfw+natd worked on 8.0 but produced errors in 8.1. After searching the bugs database, I found multiple reports about it - http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 and http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928. Both suggest manually loading ipdivert as a workaround, and fixing the rc scripts as solution. The offending changeset is http://svn.freebsd.org/viewvc/base/stable/8/etc/rc.d/ipfw?r1=196045r2=203962, where natd was changed to be run as a post-cmd instead of a pre-cmd. According to svn, this defect has not been addressed in HEAD yet. I've tried modifying the rc scripts, so that natd becomes a dependency of ipfw - which ought to make it start. However, the rc script is marked as KEYWORD: nostart, which excludes it from the normal startup process and from the listing of 'services -r' (finally noticed this). So an alternative way to fix this would to make natd a standalone script, add a rc dependency, and remove the 'firewall_coscript' juggling in ipfw's rc script. What's the best way to get this problem fixed in svn? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
