net.inet{,6}.fw.enable in /etc/rc
Hiroki Sato
hrs at FreeBSD.org
Sat Oct 11 20:04:13 UTC 2014
Ian Smith <smithi at nimnet.asn.au> wrote
in <20141003025830.D48482 at sola.nimnet.asn.au>:
sm> which rules will be flushed when /etc/rc.d/ipfw runs, but should enable
sm> DHCP to work? I'm not sure whether those rules are exactly correct or
sm> sufficient for DHCP, but principle is to anly allow what's necessary in
sm> the circumstances this addresses, vastly reducing vulnerable window.
sm>
sm> Using such a method, there should be no need to modify rc.d/ipfw?
I created an experimental patch based on an idea installing a minimal
ruleset. Please review the attached patch. rc.d/ipfw0 script to
install such a ruleset is invoked before rc.d/netif. The following
two knobs are added:
$firewall_minimal_rules_enable
Enable/disable installing a minimal ruleset.
$firewall_minimal_ruleset
Ruleset number to be used for the ruleset.
sm> > Does ipfw have rules which depend on interface initialization? If
sm> > not, moving rc.d/ipfw to just before rc.d/netif may be a better idea.
sm>
sm> It can. If using (say) mpd with dialup or ADSL modems, as I do, the
sm> interface - here ng0 - needs to preexist, needing an IP address too.
sm>
sm> I think that by now, many will likely rely on netif preceding ipfw.
AFAICC an IPFW rule for ng0 can be installed before the interface is
created. Do you have a specific rule which is problematic if IPFW
rules are loaded before rc.d/netif runs? I am also using mpd and a
lot of cloned interfaces on my router box but it worked fine.
-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc_ipfw0.20141012-1.diff
Type: text/x-patch
Size: 5659 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20141012/ea02ac1b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20141012/ea02ac1b/attachment.sig>
More information about the freebsd-ipfw
mailing list