conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire
wall_script not read it
AT Matik
asstec at matik.com.br
Wed Apr 4 00:22:45 UTC 2007
On Tuesday 03 April 2007 12:40, Mike Makonnen wrote:
> On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote:
> > I see your point
> > but first tell me, how do you know that the rules are *successfully*
> > loaded?
>
> Sorry, I wrote that email from memory and thought that was how it operated.
> However, what it does is output a warning if the last rule is to deny all
> packets (btw, is that correct? I thought ipfw operated on a "first-match"
> basis, so there could be rules before that one to allow certain packets.
> The more I look at it, the more bogus it looks to me, but I'm not
> an ipfw user so... <shrug>).
>
instead of discussing, here is my actual version of /etc/rc.d/ipfw. I inverted
my personal choice of enabling ipfw before running the script into after. At
the end it doesn't matter because the outcome is the same.
Also I think natd should not be run from ipfw script since there is
a /etc/rc.d/natd which in my opinion should have REQUIRE ipfw but not be
called by another rc.d script. So I do natd by it's own script only
ipfw_start () {
[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
if [ -r "${firewall_script}" ]; then
(sh - ${firewall_script})
echo -n 'firewall configured as type $firewall_type, rules
loaded'
else
echo 'ERROR: firewall script not found!'
echo 'You might have lost all Internet connections!'
fi
echo '.'
if checkyesno firewall_logging; then
if [ `sysctl -n net.inet.ip.fw.verbose` = "0" ]; then
${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
echo 'Firewall logging enabled'
fi
fi
if [ `sysctl -n net.inet.ip.fw.enable` = "0" ]; then
${SYSCTL} net.inet.ip.fw.enable=1 >/dev/null
fi
}
João
> Anyways, I believe your original comment had to do with enabling the
> firewall in a precmd() subroutine. I suppose in the end it comes down to
> personal preference. It just seems "more correct" to me that the rules
> are loaded first and then the firewall is turned on, but I can see how
> someone else might disagree. I just thought
> of something else as well: Enabling the firewall and then loading the
> rules may introduce a brief window of vulnerablity where the firewall is
> enabled (default to allow) but no rules are loaded. Off course, enabling
> the firewall regardless of the outcome of the firewall script would
> probably introduce a much bigger window of vulnerability :-).
>
> In any case, since I'm not a regular ipfw user I don't feel comfortable
> making any more changes that might have unintended consequences. I'll
> leave it to someone more familiar with ipfw to comment on and commit any
> further changes.
>
> Cheers.
--
A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
More information about the freebsd-ipfw
mailing list