7.0-B2 & IPFW/IP6FW interaction

[Robert Huff]

Bob Johnson writes:

>  On my test system, the IPv6 ruleset is loaded first, and then
>  when the IPv4 ruleset is loaded, the flush command in rc.firewall
>  removes all of the IPv6 rules, so I end up with default deny for
>  IPv6, plus all of my normal IPv4 rules. It's possible that this
>  interaction explains the other oddities I thought I've seen but
>  haven't reliably reproduced.
>  
>  I fixed it by removing the flush commands from both rc.firewall
>  and rc.firewall6, but I expect this broke the proper operation of
>  "/etc/rc.d/ipfw restart" (although I haven't actually tested
>  that. I just manually flush the rules if I need to restart the
>  firewall).

There are a number of good reasons to Not Do That, which others
can explain better than I.
Instead let me suggest you make a copy of those scripts, then
ponder this part of my rc.conf:

firewall_enable="YES"   # Set to YES to enable firewall functionality
firewall_type="UNKNOWN"   # Firewall type (see /etc/rc.firewall)
firewall_script="/etc/ipfw.master" # Use this instead of /etc/rc.firewall
ipv6_firewall_enable="YES"  # Set to YES to enable IPv6 firewall
ipv6_firewall_type="UNKNOWN"# see /etc/rc.firewall6
ipv6_firewall_script="/etc/ipfw.v6.set" # Which script to run to
# set up the 
IPv6 firewall
ipv6_firewall_flags=""  # see /etc/rc.firewall6


Robert Huff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

7.0-B2 & IPFW/IP6FW interaction

[Bob Johnson]

I've been trying to learn about IPv6, using the 7.0 series as my
platform so it gets some exercise before release, and I've run into a
few odd interactions between IPFW handling of IPv4 and IPv6. The only
one I can reliably reproduce is pretty straightforward: if I set up
/etc/rc.conf to enable IPFW for both IPv4 and IPv6, both with the
CLIENT rule set, and edit /etc/rc.firewall and /etc/rc.firewall6
accordingly, only one ruleset gets loaded.

On my test system, the IPv6 ruleset is loaded first, and then when the
IPv4 ruleset is loaded, the flush command in rc.firewall removes all
of the IPv6 rules, so I end up with default deny for IPv6, plus all of
my normal IPv4 rules. It's possible that this interaction explains the
other oddities I thought I've seen but haven't reliably reproduced.

I fixed it by removing the flush commands from both rc.firewall and
rc.firewall6, but I expect this broke the proper operation of
"/etc/rc.d/ipfw restart" (although I haven't actually tested that. I
just manually flush the rules if I need to restart the firewall).

Am I running into this problem because 7.0 expects me to do something
differently, or is this actually a bug?  It appears the problem is in
the old config scripts (rc.firewall and rc.firewall6) that worked
properly when IPFW and IP6FW were independent, but now interact with
each other. It would probably make sense to integrate the two scripts
into a single rc.firewall script, but I haven't had time to take a
shot at that yet. If the load order is always the same, then of course
I can just remove the flush command from the second rule set and it
will solve the problem. Again, I haven't looked into that yet.

I've also noticed there are new rc.conf variables (e.g.
firewall_myservices, firewall_allowservices) that appear to be
intended to configure default rules for me, but I have not
investigated them. Perhaps I should?

In /etc/rc.conf the firewall statements I have are:

firewall_enable="YES"
firewall_logging="YES"
firewall_type="CLIENT"
ipv6_firewall_enable="YES"
ipv6_firewall_logging="YES"
ipv6_firewall_type="CLIENT"

and this is 7.0-BETA2

- Bob
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"