conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it

AT Matik asstec at matik.com.br
Wed Apr 4 00:22:45 UTC 2007 

On Tuesday 03 April 2007 12:40, Mike Makonnen wrote:
> On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote:
> > I see your point
> > but first tell me, how do you know that the rules are *successfully*
> > loaded?
>
> Sorry, I wrote that email from memory and thought that was how it operated.
> However, what it does is output a warning if the last rule is to deny all
> packets (btw, is that correct? I thought ipfw operated on a "first-match"
> basis, so there could be rules before that one to allow certain packets.
> The more I look at it, the more bogus it looks to me, but I'm not
> an ipfw user so... <shrug>).
>


instead of discussing, here is my actual version of /etc/rc.d/ipfw. I inverted 
my personal choice of enabling ipfw before running the script into after. At 
the end it doesn't matter because the outcome is the same.

Also I think natd should not be run from ipfw script since there is 
a /etc/rc.d/natd which in my opinion should have REQUIRE ipfw but not be 
called by another rc.d script. So I do natd by it's own script only

ipfw_start () {

        [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

        if [ -r "${firewall_script}" ]; then

                (sh - ${firewall_script})

                echo -n 'firewall configured as type $firewall_type, rules 
loaded'

        else
                echo 'ERROR: firewall script not found!'
                echo 'You might have lost all Internet connections!'
        fi

        echo '.'

        if checkyesno firewall_logging; then
	if [ `sysctl -n net.inet.ip.fw.verbose` = "0" ]; then
                	${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
                	echo 'Firewall logging enabled'
	fi
        fi

        if [ `sysctl -n net.inet.ip.fw.enable` = "0" ]; then
                ${SYSCTL} net.inet.ip.fw.enable=1 >/dev/null
        fi
}



João




> Anyways, I believe your original comment had to do with enabling the
> firewall in a precmd() subroutine. I suppose in the end it comes down to
> personal preference. It just seems "more correct" to me that the rules
> are loaded first and then the firewall is turned on, but I can see how
> someone else might disagree.  I just thought
> of something else as well: Enabling the firewall and then loading the
> rules may introduce a brief window of vulnerablity where the firewall is
> enabled (default to allow) but no rules are loaded. Off course, enabling
> the firewall regardless of the outcome of the firewall script would
> probably introduce a much bigger window of vulnerability :-).
>
> In any case, since I'm not a regular ipfw user I don't feel comfortable
> making any more changes that might have unintended consequences. I'll
> leave it to someone more familiar with ipfw to comment on and commit any
> further changes.
>
> Cheers.

-- 








A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik  https://datacenter.matik.com.br

More information about the freebsd-ipfw mailing list