Re: IPFW at startup.
simply edit /etc/rc.d/ipfw and make it doing only what you want. On Sun, 14 Nov 2010, Grant Peel wrote: Hi all, I seem to have one server that does not flush the /etc/rc.firewall rules when the script taken from firewall_type starts up. That is to say when I boot the machine, 3 rules seem to be still in the list when I do an ipfw -a list. Those three rules appear to be from the /etc.rc.firewall script. The rules from my /etc/ipfw.rules file DO get loaded. Here are the three rules (100, 200, and 300), from /etc/rc.firewall. setup_loopback () { # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Here is my /etc/rc,conf setup: firewall_enable=YES firewall_logging=YES firewall_type=/etc/ipfw.rules Here is my /etc/ipfw.rules: enterprise# more /etc/ipfw.rules # Loopback add 1 allow ip from any to any via lo0 # Office and Home add 00200 allow ip from xxx xxx xxx xxx xxx to any add 00201 allow ip from any to xxx xxx xxx xxx add 00202 allow all from xxx xxx xxx xxx to any add 00203 allow all from any to xxx xxx xxx xxx # Allow fxp0 out add 00204 allow all from any to any out # Allow local net add 02000 allow ip from any to any via fxp1 # email add 04000 allow all from xxx xxx xxx xxx to any add 04010 allow all from any to xxx xxx xxx xxx add 04020 allow all from xxx xxx xxx xxx to any add 04030 allow all from any to xxx xxx xxx xxx add 04040 allow tcp from any to any 25,587 add 04050 allow tcp from any 25,587 to any # Bruteblock add 08000 deny ip from table(1) to me add 08001 deny ip from me to table(1) add 09050 allow udp from any to any 53 in # Email Test add 09100 allow icmp from any to any icmptypes 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 add 65535 deny ip from any to any Oddly enough, I have several machies that are setup identicly and this is the only one that has stikky rules from /etc/rc.firewall. Any one have any idea what knob might have been turned that causes the sticky startup rules? -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
It's not a great idea to hack the rc.d scripts, they can be clobbered when updating. Chris Sorry for top-posting, Android won't let me quote, but K-9 can't yet do threading. On 15 Nov 2010 08:45, Wojciech Puchar woj...@tensor.gdynia.pl wrote: simply edit /etc/rc.d/ipfw and make it doing only what you want. On Sun, 14 Nov 2010, Grant Peel wrote: Hi all, I seem to have one server that does not flus... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
In freebsd-questions Digest, Vol 337, Issue 1, Message: 15 On Sun, 14 Nov 2010 17:50:47 -0500 Grant Peel gp...@thenetnow.com wrote: I seem to have one server that does not flush the /etc/rc.firewall rules when the script taken from firewall_type starts up. That is to say when I boot the machine, 3 rules seem to be still in the list when I do an ipfw -a list. Those three rules appear to be from the /etc.rc.firewall script. The rules from my /etc/ipfw.rules file DO get loaded. Here are the three rules (100, 200, and 300), from /etc/rc.firewall. setup_loopback () { # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Here is my /etc/rc,conf setup: firewall_enable=YES firewall_logging=YES firewall_type=/etc/ipfw.rules Here is my /etc/ipfw.rules: enterprise# more /etc/ipfw.rules # Loopback add 1 allow ip from any to any via lo0 # Office and Home Ok, looking through your /etc/rc.firewall you should find: # Flush out the list before we begin. # ${fwcmd} -f flush setup_loopback which installs those rules straight after the flush. Browsing bits of http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall shows the last version that does NOT run setup_loopback in ALL cases is RELENG_6. Anyway, apart from the fact that rules 200 and 300 are worth having, all you need to do to remove those rules is to make your first rule: -f flush I'll refrain from comment on your ruleset, except that: add 65535 deny ip from any to any you can't actually override the default rule, which is either 'deny' or 'allow' according to the value of net.inet.ip.fw.default_to_accept which depends on a kernel build option, so you might use say 65000 to be sure. Oddly enough, I have several machies that are setup identicly and this is the only one that has stikky rules from /etc/rc.firewall. Any one have any idea what knob might have been turned that causes the sticky startup rules? If those systems are = 7.0, maybe they have an older /etc/rc.firewall? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
Здравствуйте, Grant. Вы писали 15 ноября 2010 г., 0:50:47: GP Hi all, GP I seem to have one server that does not flush the /etc/rc.firewall rules GP when the script taken from firewall_type starts up. That is to say when I GP boot the machine, 3 rules seem to be still in the list when I do an ipfw -a GP list. Those three rules appear to be from the /etc.rc.firewall script. The GP rules from my /etc/ipfw.rules file DO get loaded. GP Here are the three rules (100, 200, and 300), from /etc/rc.firewall. GP setup_loopback () { GP GP # Only in rare cases do you want to change these rules GP # GP ${fwcmd} add 100 pass all from any to any via lo0 GP ${fwcmd} add 200 deny all from any to 127.0.0.0/8 GP ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any GP Here is my /etc/rc,conf setup: GP firewall_enable=YES GP firewall_logging=YES GP firewall_type=/etc/ipfw.rules you need firewall_script variable GP Here is my /etc/ipfw.rules: GP enterprise# more /etc/ipfw.rules GP # Loopback GP add 1 allow ip from any to any via lo0 GP # Office and Home GP add 00200 allow ip from xxx xxx xxx xxx xxx to any GP add 00201 allow ip from any to xxx xxx xxx xxx GP add 00202 allow all from xxx xxx xxx xxx to any GP add 00203 allow all from any to xxx xxx xxx xxx GP # Allow fxp0 out GP add 00204 allow all from any to any out GP # Allow local net GP add 02000 allow ip from any to any via fxp1 GP # email GP add 04000 allow all from xxx xxx xxx xxx to any GP add 04010 allow all from any to xxx xxx xxx xxx GP add 04020 allow all from xxx xxx xxx xxx to any GP add 04030 allow all from any to xxx xxx xxx xxx GP add 04040 allow tcp from any to any 25,587 GP add 04050 allow tcp from any 25,587 to any GP # Bruteblock GP add 08000 deny ip from table(1) to me GP add 08001 deny ip from me to table(1) GP add 09050 allow udp from any to any 53 in GP # Email Test GP add 09100 allow icmp from any to any icmptypes GP 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 GP add 65535 deny ip from any to any GP Oddly enough, I have several machies that are setup identicly and this is GP the only one that has stikky rules from /etc/rc.firewall. GP Any one have any idea what knob might have been turned that causes the GP sticky startup rules? GP -Grant GP ___ GP freebsd-questions@freebsd.org mailing list GP http://lists.freebsd.org/mailman/listinfo/freebsd-questions GP To unsubscribe, send any mail to GP freebsd-questions-unsubscr...@freebsd.org -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
I haven't seen someone use firewall_type as a path to the config file. If you check the default rc.firewall file, you will see several types of default firewall settings, such as open and closed. You want to set firewall_type in rc.conf to be open or whatever your firewall type is in /etc/rc.firewall. You can probably get away with editing your existing rc.firewall to include a firewall type, such as custom, then defining firewall_type as custom in /etc/rc.conf. Enjoy, On 11/14/10 14:50, Grant Peel wrote: Hi all, I seem to have one server that does not flush the /etc/rc.firewall rules when the script taken from firewall_type starts up. That is to say when I boot the machine, 3 rules seem to be still in the list when I do an ipfw -a list. Those three rules appear to be from the /etc.rc.firewall script. The rules from my /etc/ipfw.rules file DO get loaded. Here are the three rules (100, 200, and 300), from /etc/rc.firewall. setup_loopback () { # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Here is my /etc/rc,conf setup: firewall_enable=YES firewall_logging=YES firewall_type=/etc/ipfw.rules Here is my /etc/ipfw.rules: enterprise# more /etc/ipfw.rules # Loopback add 1 allow ip from any to any via lo0 # Office and Home add 00200 allow ip from xxx xxx xxx xxx xxx to any add 00201 allow ip from any to xxx xxx xxx xxx add 00202 allow all from xxx xxx xxx xxx to any add 00203 allow all from any to xxx xxx xxx xxx # Allow fxp0 out add 00204 allow all from any to any out # Allow local net add 02000 allow ip from any to any via fxp1 # email add 04000 allow all from xxx xxx xxx xxx to any add 04010 allow all from any to xxx xxx xxx xxx add 04020 allow all from xxx xxx xxx xxx to any add 04030 allow all from any to xxx xxx xxx xxx add 04040 allow tcp from any to any 25,587 add 04050 allow tcp from any 25,587 to any # Bruteblock add 08000 deny ip from table(1) to me add 08001 deny ip from me to table(1) add 09050 allow udp from any to any 53 in # Email Test add 09100 allow icmp from any to any icmptypes 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 add 65535 deny ip from any to any Oddly enough, I have several machies that are setup identicly and this is the only one that has stikky rules from /etc/rc.firewall. Any one have any idea what knob might have been turned that causes the sticky startup rules? -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) da...@vicor.com This message contains confidential and proprietary information of the sender, and is intended only for the person(s) to whom it is addressed. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you have received this message in error, please notify the e-mail sender immediately, and delete the original message without making a copy. _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
Hi-- On Nov 15, 2010, at 10:52 AM, Dave Robison wrote: I haven't seen someone use firewall_type as a path to the config file. If you check the default rc.firewall file, you will see several types of default firewall settings, such as open and closed. You want to set firewall_type in rc.conf to be open or whatever your firewall type is in /etc/rc.firewall. If you set both of these in /etc/rc.conf: firewall_type=/etc/FW1.ipfw firewall_flags=-p cpp ...then /etc/FW1_firewall will be processed by cpp (ie, so you can use #include directives, C-style macros, etc) before going to IPFW. This is probably more obscure than useful for human-editted rulesets :-), but for automated processing and accumulating lists of bad hosts via denyhosts or similar, it can be useful Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
On Mon, Nov 15, 2010 at 10:52:41AM -0800, Dave Robison wrote: I haven't seen someone use firewall_type as a path to the config file. If you check the default rc.firewall file, you will see several types of default firewall settings, such as open and closed. You want to set firewall_type in rc.conf to be open or whatever your firewall type is in /etc/rc.firewall. What he needs to do is use firewall_script=/etc/ipfw.rules rather than firewall_type= -- David Kelly N4HHE, dke...@hiwaay.net Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW at startup.
In freebsd-questions Digest, Vol 337, Issue 2, Message: 26 On Mon, 15 Nov 2010 10:52:41 -0800 Dave Robison da...@vicor.com wrote: I haven't seen someone use firewall_type as a path to the config file. It's not so uncommon. Anyone who's based their ruleset on the handbook section on IPFW will likely be using this method, and Grant has used it correctly. This is only applicable where $firewall_script is set to '/etc/rc.firewall', but that is the default in /etc/defaults/rc.conf If you check the default rc.firewall file, you will see several types of default firewall settings, such as open and closed. You want to set firewall_type in rc.conf to be open or whatever your firewall type is in /etc/rc.firewall. Please note the last section in rc.firewall, which specifically tests whether $firewall_type is a readable file, and if so, passes that file as an argument to ipfw(8) (qv). *) if [ -r ${firewall_type} ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac Also note that in this case, the file is not a shell script, but a set of arguments to the ipfw command. Grant's set is in the correct format. You can probably get away with editing your existing rc.firewall to include a firewall type, such as custom, then defining firewall_type as custom in /etc/rc.conf. You could, but it's not necessary. In the olden days you more or less had to do that, but nowadays you can specify parameters for the client, simple and workstation types, so you can get a minimal reasonably safe and effective firewall going, at least for starters, just using rc.conf variables. This also means you can avoid messing with rc.firewall, so that system updates will properly bring in any changes and additions. The documentation for this is so far really only in /etc/rc.firewall itself and in /etc/defaults/rc.conf .. perhaps one day $someone will re-write the Handbook IPFW section; meanwhile ipfw(8) is definitive. You can also start out using one of the builtin types, then save it to a file with 'ipfw list file', then modify things it there, add comments etc, then specify that file as firewall_type henceforth. Or, as Chuck has shown, you can get really fancy and use some preprocessor :) cheers, Ian PS: Please don't top-post on FreeBSD lists, and if at all possible avoid posting multiple disclaimers, that are in any case entirely inapplicable to public list postings. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPFW at startup.
Hi all, I seem to have one server that does not flush the /etc/rc.firewall rules when the script taken from firewall_type starts up. That is to say when I boot the machine, 3 rules seem to be still in the list when I do an ipfw -a list. Those three rules appear to be from the /etc.rc.firewall script. The rules from my /etc/ipfw.rules file DO get loaded. Here are the three rules (100, 200, and 300), from /etc/rc.firewall. setup_loopback () { # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Here is my /etc/rc,conf setup: firewall_enable=YES firewall_logging=YES firewall_type=/etc/ipfw.rules Here is my /etc/ipfw.rules: enterprise# more /etc/ipfw.rules # Loopback add 1 allow ip from any to any via lo0 # Office and Home add 00200 allow ip from xxx xxx xxx xxx xxx to any add 00201 allow ip from any to xxx xxx xxx xxx add 00202 allow all from xxx xxx xxx xxx to any add 00203 allow all from any to xxx xxx xxx xxx # Allow fxp0 out add 00204 allow all from any to any out # Allow local net add 02000 allow ip from any to any via fxp1 # email add 04000 allow all from xxx xxx xxx xxx to any add 04010 allow all from any to xxx xxx xxx xxx add 04020 allow all from xxx xxx xxx xxx to any add 04030 allow all from any to xxx xxx xxx xxx add 04040 allow tcp from any to any 25,587 add 04050 allow tcp from any 25,587 to any # Bruteblock add 08000 deny ip from table(1) to me add 08001 deny ip from me to table(1) add 09050 allow udp from any to any 53 in # Email Test add 09100 allow icmp from any to any icmptypes 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 add 65535 deny ip from any to any Oddly enough, I have several machies that are setup identicly and this is the only one that has stikky rules from /etc/rc.firewall. Any one have any idea what knob might have been turned that causes the sticky startup rules? -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw+natd startup order fixing
Hi there, a few months ago I inquired about an issue where using ipfw+natd worked on 8.0 but produced errors in 8.1. After searching the bugs database, I found multiple reports about it - http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 and http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928. Both suggest manually loading ipdivert as a workaround, and fixing the rc scripts as solution. The offending changeset is http://svn.freebsd.org/viewvc/base/stable/8/etc/rc.d/ipfw?r1=196045r2=203962, where natd was changed to be run as a post-cmd instead of a pre-cmd. According to svn, this defect has not been addressed in HEAD yet. I've tried modifying the rc scripts, so that natd becomes a dependency of ipfw - which ought to make it start. However, the rc script is marked as KEYWORD: nostart, which excludes it from the normal startup process and from the listing of 'services -r' (finally noticed this). So an alternative way to fix this would to make natd a standalone script, add a rc dependency, and remove the 'firewall_coscript' juggling in ipfw's rc script. What's the best way to get this problem fixed in svn? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org